On October 27, 2022, the ECJ addressed itself in its Judgment C‑129/21 i.S. Proximus dealt with the question of whether a link in a processing or transfer chain must inform the other links before and after it of a deletion:
The subject matter was a telephone directory (subscriber directory). The complainant’s provider, Telenet, had passed directory data on to Proximus, another Belgian provider, among others.
The first two submission questions can be briefly summarized:
- The ECJ first states that Art. 12 para. 2 of the e‑Privacy Directive 2002 a Consent required for inclusion in subscriber directoriesHowever, this consent is not limited to a specific provider – with the initial consent, the directory data may therefore be disclosed to another provider, provided the purpose of the processing is not extended (as already stated in the Deutsche Telekom judgment), ECJ Case C‑543/09 dated 5.5.2011). The initial consent must meet the requirements of the GDPR.
- If a subscriber requests that his or her personal data be removed from subscriber directories, providers must then comply – this is an exercise of the “Right to cancellation” within the meaning of Art. 17 GDPR.
The third question submitted is more explosive. Here, it was a question of whether a directory provider must inform other providers accordingly in the event of deletion, against the background of the transfer chain:
This provider may, in turn, transfer the data to other providers of subscriber directories on the basis of the same consent, thus creating a chain of controllers that process the data one after the other independently on the basis of the same consent
The question here was more specifically whether a provider in the middle, to whom the revocation of consent was declared, must also inform the upstream and downstream links in the chain:
[…] whether, when a subscriber of a telephone service provider withdraws consent to be included in that provider’s directories, a directory service provider such as Proximus must not only update its own database […] but also inform the telephone service provider that transmitted the data in question to it, as well as the other directory service providers to which it itself transmitted data, of the withdrawal.
The ECJ answered this question in the affirmative with the following considerations:
- After revocation of consent, further processing would be unlawful within the meaning of the GDPR (lack of legal basis).
- The controller must be able to prove the lawfulness of its processing pursuant to Art. 5 GDPR. According to Art. 24 GDPR, he must also implement appropriate technical and organizational measures to ensure lawfulness and its proof.
- More specifically, Art. 19 GDPR provides that the controller shall notify all recipients to whom personal data have been disclosed of any erasure, unless this is impossible or disproportionate.
From this, the ECJ draws the following conclusion:
85 In order to ensure the effectiveness of the right to withdraw consent provided for in Article 7(3) of the GDPR and to ensure that the data subject’s consent is strictly related to the purpose for which it was given, the controller to whom the data subject has withdrawn his or her consent to the processing of his or her personal data shall, in accordance with the Commission’s pertinent comments, in effect obliged to inform any person who has communicated such data to him, as well as the person to whom he in turn has communicated the data, of the revocation. The responsible persons informed accordingly are then in turn obliged, to forward this information to the other data controllers to whom they have transmitted such data.
With regard to the fourth question referred for a preliminary ruling, the ECJ further states that the responsible person even Search engine provider – who are their own responsible persons – must inform:
96 In circumstances such as those of the main proceedings, it must therefore be assumed that a controller such as Proximus, pursuant to Article 17(2) GDPR. must take reasonable measures to inform search engine providers of the request received by it from the subscriber of a telephone service provider for the deletion of his personal data. However, as the Advocate General pointed out in point 76 of his Opinion, Article 17(2) GDPR provides that the assessment of the adequacy of the measures taken by the directory provider must take into account the available technology and the implementation costs, and that this assessment is primarily for the competent authority and is subject to judicial review.
These considerations of the ECJ are not limited to subscriber directories. It can therefore be assumed that the ECJ would generally decide in the same way in other processing chains, i.e. that the revocation of consent would generally have to be communicated to the upstream and downstream links. This ultimately as part of the compliance system that the controller must operate in particular due to Art. 24 GDPR.
However, this cannot be transferred to Switzerland or the DPA.:
- At Draft of the revised VDSG it was still stipulated that the controller must inform recipients of data “without undue delay about the correction, deletion or destruction as well as the restriction of the processing of personal data” (then Art. 16; critically here). This provision was rightly not included in the DSV. It would therefore be incompatible with the will of the legislator to distill such obligations from general principles. Switzerland also does not have an accountability obligation as the ECJ states here.
- The principle of privacy by design then also applies in the FADP, but it does not specify any additional substantive obligations, but only requires existing obligations to be proactively safeguarded (i.e., it cuts off the controller’s objection that it cannot fulfill a certain data protection obligation due to the system design).