JUDGMENT OF THE COURT (Fourth Chamber)
27 October 2022 (*)
(Reference for a preliminary ruling – Processing of personal data and protection of privacy in the electronic communications sector – Directive 2002/58/EC – Article 12 – Public telephone directories and directory enquiry services – Subscriber’s consent – Obligations of the provider of directories and of directory enquiry services – Regulation (EU) 2016/679 – Article 17 – Right to erasure (‘right to be forgotten’) – Article 5(2) – Article 24 – Information obligations and responsibility of the controller)
In Case C-129/21,
REQUEST for a preliminary ruling under Article 267 TFEU from the hof van beroep te Brussel (Court of Appeal, Brussels, Belgium), made by decision of 24 February 2021, received at the Court on 2 March 2021, in the proceedings
Proximus NV
v
Gegevensbeschermingsautoriteit,
THE COURT (Fourth Chamber),
composed of C. Lycourgos, President of the Chamber, L.S. Rossi (Rapporteur), J.-C. Bonichot, S. Rodin and O. Spineanu-Matei, Judges,
Advocate General: A.M. Collins,
Registrar: M. Ferreira, Principal Administrator,
having regard to the written procedure and further to the hearing on 9 February 2022,
after considering the observations submitted on behalf of:
– Proximus NV, by P. Craddock and T. de Haan, avocats, and by E. Van Bogget, advocaat,
– Gegevensbeschermingsautoriteit, by C. Buggenhoudt, E. Cloots and J. Roets, advocaten,
– the Italian Government, by G. Palmieri, acting as Agent, and by E. De Bonis, avvocato dello Stato,
– the Latvian Government, by E. Bārdiņš, J. Davidoviča and K. Pommere, acting as Agents,
– the Portuguese Government, by P. Barros da Costa, L. Inez Fernandes, M.J. Ramos and C. Vieira Guerra, acting as Agents,
– the Romanian Government, by E. Gane and L. Liţu, acting as Agents,
– the European Commission, by S.L. Kalėda, H. Kranenborg and P.-J. Loewenthal, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 28 April 2022,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 12(2), read in conjunction with point (f) of the second paragraph of Article 2 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11) (‘Directive 2002/58’), and of Article 5(2) and Articles 17, 24 and 95 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).
2 The request has been made in proceedings between Proximus NV, a company governed by Belgian public law, and the Gegevensbeschermingsautoriteit (Data Protection Authority, Belgium) (‘the DPA’), concerning the decision by which the Geschillenkamer van de Gegevensbeschermingsautoriteit (Litigation Chamber of the DPA; ‘the Litigation Chamber’) ordered Proximus to take remedial action and to pay a fine of EUR 20 000 for infringement of several provisions of the GDPR.
Legal context
European Union law
Directive 95/46/EC
3 Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) provides:
‘For the purposes of this Directive:
…
(h) “the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’
Directive 2002/58
4 Recitals 10, 17, 38 and 39 of Directive 2002/58 are worded as follows:
‘(10) In the electronic communications sector, Directive 95/46/EC applies in particular to all matters concerning protection of fundamental rights and freedoms, which are not specifically covered by the provisions of this Directive, including the obligations on the controller and the rights of individuals. …
…
(17) For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or a legal person, should have the same meaning as the data subject’s consent as defined and further specified in Directive 95/46/EC. Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.
…
(38) Directories of subscribers to electronic communications services are widely distributed and public. The right to privacy of natural persons and the legitimate interest of legal persons require that subscribers are able to determine whether their personal data are published in a directory and if so, which. Providers of public directories should inform the subscribers to be included in such directories of the purposes of the directory and of any particular usage which may be made of electronic versions of public directories especially through search functions embedded in the software, such as reverse search functions enabling users of the directory to discover the name and address of the subscriber on the basis of a telephone number only.
(39) The obligation to inform subscribers of the purpose(s) of public directories in which their personal data are to be included should be imposed on the party collecting the data for such inclusion. Where the data may be transmitted to one or more third parties, the subscriber should be informed of this possibility and of the recipient or the categories of possible recipients. Any transmission should be subject to the condition that the data may not be used for other purposes than those for which they were collected. If the party collecting the data from the subscriber or any third party to whom the data have been transmitted wishes to use the data for an additional purpose, the renewed consent of the subscriber is to be obtained either by the initial party collecting the data or by the third party to whom the data have been transmitted.’
5 Article 1 of that directive provides:
‘1. This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.
2. The provisions of this Directive particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.
…’
6 Article 2 of Directive 2002/58, entitled ‘Definitions’, provides in point (f) of the second paragraph thereof:
‘The following definitions shall also apply:
…
(f) “consent” by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC’.
7 Article 12 of that directive, entitled ‘Directories of subscribers’, states:
‘1. Member States shall ensure that subscribers are informed, free of charge and before they are included in the directory, about the purpose(s) of a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services, in which their personal data can be included and of any further usage possibilities based on search functions embedded in electronic versions of the directory.
2. Member States shall ensure that subscribers are given the opportunity to determine whether their personal data are included in a public directory, and if so, which, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory, and to verify, correct or withdraw such data. Not being included in a public subscriber directory, verifying, correcting or withdrawing personal data from it shall be free of charge.
3. Member States may require that for any purpose of a public directory other than the search of contact details of persons on the basis of their name and, where necessary, a minimum of other identifiers, additional consent be asked of the subscribers.
…’
The GDPR
8 Recitals 42, 66 and 173 of the GDPR state:
‘(42) Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. … a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
…
(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request.
…
(173) This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC …, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.’
9 Article 4(2), (7) and (11) of that regulation is worded as follows:
‘For the purposes of this Regulation:
…
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …
…
(11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
10 Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
11 Under Article 6 of the GDPR, entitled ‘Lawfulness of processing’:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…’
12 Article 7 of the GDPR, entitled ‘Conditions for consent’, states:
‘1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
…
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
…’
13 Article 16 of the GDPR, entitled ‘Right to rectification’, provides:
‘The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.’
14 Article 17 of the GDPR, entitled ‘Right to erasure (“right to be forgotten”)’, is worded as follows:
‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
…
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
…
(d) the personal data have been unlawfully processed;
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
…’
15 Article 19 of the GDPR, entitled ‘Notification obligation regarding rectification or erasure of personal data or restriction of processing’, provides:
‘The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.’
16 Under Article 24 of the GDPR, entitled ‘Responsibility of the controller’:
‘1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.
…’
17 Article 94 of the GDPR, entitled ‘Repeal of Directive 95/46/EC’, provides in paragraph 2:
‘References to the repealed Directive shall be construed as references to this Regulation. …’
18 Article 95 of the GDPR, entitled ‘Relationship with Directive 2002/58/EC’, provides:
‘This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the [European] Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.’
Belgian law
19 Article 133 of the Wet betreffende de elektronische communicatie (Law on electronic communication), of 13 June 2005 (Belgisch Staatsblad, 20 June 2005, p. 28070), which transposes Article 12 of Directive 2002/58 into Belgian law, is worded as follows:
‘1. Providers of a publicly available telephone service shall inform their subscribers free of charge and before including them in a telephone directory or directory enquiry service of:
1. the purpose of the telephone directory or of the directory enquiry service;
2. the fact that inclusion in the telephone directory or directory enquiry service is free of charge;
3. any uses of the telephone directory or of the directory enquiry service other than the retrieval of personal data on the basis of the name of the subscriber and, where appropriate, the place where the subscriber has his or her permanent address or usually resides or the place where the subscriber has his or her principal place of business.
Only personal data which are relevant for the purpose as communicated in accordance with subparagraph 1 and in respect of which the subscriber in question has indicated that they could be included in the telephone directory or directory enquiry service in question may be included in the telephone directory or directory enquiry service.
To that end, two separate questions shall be put by the operator to the subscriber:
1. whether he or she wishes his or her contact details to be included in the universal directory and in the universal enquiry service;
2. whether he or she wishes his or her contact details to be included in other directories or other enquiry services.
…
2. Every subscriber shall have the right to consult personal data concerning him or her under the conditions laid down by, or pursuant to, the Wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens (Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data).
Every subscriber shall also have the right to have personal data concerning him or her corrected or withdrawn free of charge from the telephone directory or directory enquiry service in accordance with the procedures and under the conditions laid down by the King, after obtaining the opinion of the Committee for the Protection of Privacy and the Institute.’
20 Article 45(2) of that law obliges telephone service operators to make the data relating to their subscribers available to providers of public directories. Pursuant to Article 45(3) thereof, those operators are to keep separate the data relating to subscribers who have indicated that they do not wish to be included in a directory so as to allow those subscribers to receive the directory without their data being included therein.
The dispute in the main proceedings and the questions referred for a preliminary ruling
21 Proximus, a telecommunications service provider in Belgium, also provides publicly available telephone directories and directory enquiry services (‘directories’) in accordance with the provisions of the Law on electronic communication. Those directories contain the name, address and telephone number (‘contact details’) of the subscribers of the various providers of publicly available telephone services (‘operators’). There are other directories that are published by third parties.
22 The contact details of the subscribers concerned are regularly communicated to Proximus by the operators, with the exception of those subscribers who have expressed the wish not to be included in the directories published by Proximus. In Belgium, the distinction between subscribers who wish to appear in a directory and those who do not leads, in practice, to the assignment of a code in the record of each subscriber, namely ‘NNNNN’ for subscribers whose contact details may appear and ‘XXXXX’ for subscribers whose contact details are to remain confidential. Proximus also supplies the contact details that it receives to another provider of directories.
23 The complainant is a subscriber of the telephone service operator, Telenet, which is active on the Belgian market. Telenet does not provide directories, rather it supplies the contact details of its subscribers to providers of directories, inter alia to Proximus.
24 On 13 January 2019, the complainant asked Proximus not to include his contact details in directories published both by Proximus and by third parties. Following that request, Proximus changed that subscriber’s status in its computer system so that his contact details would no longer be made public.
25 On 31 January 2019, Proximus received from Telenet a routine update of the data of the latter’s subscribers. That update contained new data for the complainant, which were not indicated as being confidential. That information was processed automatically by Proximus and was recorded, with the result that it was again included in the latter’s directories.
26 On 14 August 2019, having realised that his telephone number had been published in the directories of Proximus and of third parties, the subscriber concerned again asked Proximus not to include his data in the directories. On the same date, Proximus replied to the complainant that it had withdrawn his data from the directories and contacted Google to have the relevant links to Proximus’ website deleted. Proximus also informed that subscriber that it had forwarded his contact details to other providers of directories and that, via the monthly updates, those providers had been informed of the complainant’s request.
27 At the same time, the subscriber concerned submitted a complaint to the DPA against Proximus on the ground that, despite his request for his contact details not to be included in the directories, his telephone number was nevertheless included in some of those directories.
28 On 5 September 2019, the complainant and Proximus had further exchanges concerning the publication of that subscriber’s data in the directory of a third party. In that context, Proximus stated that it forwards the contact details of its subscribers to other providers of directories, but that it is not in any way privy to the internal procedures of those providers.
29 On 30 July 2020, after hearing both parties, the Geschillenkamer (Litigation Chamber) adopted a decision by which it ordered Proximus to take remedial action and to pay a fine of EUR 20 000 for infringement, inter alia, of Article 6 of the GDPR, read in conjunction with Article 7 thereof, and of Article 5(2) of that regulation, read in conjunction with Article 24 thereof. In particular, it first ordered Proximus to respond appropriately and immediately to the withdrawal of consent by the subscriber concerned and to comply with the requests of that subscriber seeking to exercise his right to erasure of the data concerning him. It then ordered Proximus to take appropriate technical and organisational measures to ensure that the processing of personal data that it performs complies with the provisions of the GDPR. Lastly, it ordered Proximus to cease unlawfully passing on the data concerned to other providers of directories.
30 On 28 August 2020, Proximus brought an action against that decision before the hof van beroep te Brussel (Court of Appeal, Brussels).
31 In Proximus’ view, in accordance with Article 45(3) of the Law on electronic communication, the consent of the subscriber is not required, rather subscribers must themselves request not to be included in the directories under an ‘opt-out’ system. In the absence of such a request, the subscriber concerned may in fact be included in those directories. Accordingly, in Proximus’ view, no ‘consent’ within the meaning of Directive 95/46 or within the meaning of the GDPR is, in the present case, required from the subscriber.
32 Taking the opposite view, the DPA contended, in essence, that Article 12(2) of Directive 2002/58 and Article 133(1) of the Law on electronic communication require the ‘consent of subscribers’, within the meaning of the GDPR, in order for the providers of directories to be able to process and pass on their personal data.
33 The referring court considers that Directive 2002/58 constitutes a lex specialis in relation to the GDPR, as is confirmed by recital 173 and Article 95 of the GDPR. Consequently, in the situations in which Directive 2002/58 further specifies the GDPR rules, the specific provisions of that directive prevail as lex specialis over the more general provisions of the GDPR.
34 In that context, the referring court observes that Article 12(2) of Directive 2002/58 and Article 133(1) of the Law on electronic communication, while requiring an expression of the subscribers’ wishes in order for the providers of directories to be able to process their personal data, do not specify whether that expression of wishes must take the form of the exercise of a right of option, as Proximus maintains, or of the indication of genuine consent within the meaning of the GDPR, as stated by the DPA. On that point, the referring court notes that the Court’s case-law, in particular the judgment of 5 May 2011, Deutsche Telekom (C-543/09, EU:C:2011:279, paragraph 61), established that – as follows from a contextual and systematic interpretation of Article 12 of Directive 2002/58 – the expression of wishes at issue corresponds to ‘consent’ in relation to the purpose of the publication of personal data in a public directory and not to the identity of any particular directory provider.
35 Furthermore, given that no specific rules have been drawn up concerning the withdrawal by a subscriber of that expression of wishes or of that ‘consent’, neither in Directive 2002/58, nor in the Law on electronic communication, nor in an implementing decree, the referring court asks whether all the provisions of the GDPR must apply automatically and without any restrictions also in the particular context of telephone directories.
36 In those circumstances the hof van beroep te Brussel (Court of Appeal, Brussels) decided to stay the proceedings and refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must Article 12(2) of [Directive 2002/58], read in conjunction with Article 2(f) thereof and Article 95 of the [GDPR] be interpreted as permitting a national supervisory authority to require a subscriber’s “consent” within the meaning of the [GDPR] as the basis for the publication of the subscriber’s personal data in public directories and directory enquiry services, published both by the operator itself and by third-party providers, in the absence of national legislation to the contrary?
(2) Must the right to erasure contained in Article 17 of the [GDPR] be interpreted as precluding a national supervisory authority from categorising a request by a subscriber to be removed from public directories and directory enquiry services as a request for erasure within the meaning of Article 17 of the [GDPR]?
(3) Must Article 24 and Article 5(2) of the [GDPR] be interpreted as precluding a national supervisory authority from concluding from the obligation of accountability laid down therein that the controller must take appropriate technical and organisational measures to inform third-party controllers, namely, the telephone service provider and other providers of directories and directory enquiry services which have received data from that first controller, of the withdrawal of the data subject’s consent in accordance with Article 6 in conjunction with Article 7 of the [GDPR]?
(4) Must Article 17(2) of the [GDPR] be interpreted as precluding a national supervisory authority from ordering a provider of public directories and directory enquiry services which has been requested to cease disclosing data relating to an individual to take reasonable steps to inform search engines of that request for erasure?’
The questions referred for a preliminary ruling
The first question
37 Proximus submits that the case in the main proceedings does not concern the publication by a telephone service operator of directories containing personal data, with the result that the first question referred for a preliminary ruling should be considered inadmissible in so far as it concerns such a situation.
38 In accordance with settled case-law, questions on the interpretation of EU law referred by a national court in the factual and legislative context which that court is responsible for defining, and the accuracy of which is not a matter for the Court to determine, enjoy a presumption of relevance. The Court may refuse to rule on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, paragraph 48 and the case-law cited).
39 In the present case, the dispute in the main proceedings is solely between a natural person and a company which is not his telephone service operator, regarding the manner in which that company processed the personal data of that person in the context of the publication of directories. It follows that the first question is inadmissible in so far as it seeks an interpretation of the requirements arising from Article 12(2) of Directive 2002/58 for the situation in which it is the telephone service operator of the person concerned that itself publishes his or her personal data in directories.
40 It follows from the foregoing that, by its first question, the referring court asks, in essence, whether Article 12(2) of Directive 2002/58, read in conjunction with point (f) of the second paragraph of Article 2 of that directive and with Article 95 of the GDPR, must be interpreted as meaning that ‘consent’ within the meaning of Article 4(11) of the GDPR is required from the subscriber of a telephone service operator in order for that subscriber’s personal data to be included in directories published by providers other than that operator.
41 In order to answer that question, it should be borne in mind that Article 1(1) of Directive 2002/58 provides, inter alia, for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with regard to the processing of personal data in the electronic communications sector.
42 In that regard, it should be borne in mind that it is clear from Article 12(1) and recital 38 of that directive that, before being included in public directories, subscribers are to be informed of the purposes of the directory and of any particular usage which may be made of it, in particular through search functions embedded in the software of the electronic versions of the directories.
43 Recital 39 of Directive 2002/58 further states, with respect to the obligation of prior information for subscribers under Article 12(1) thereof: ‘where the [personal] data may be transmitted to one or more third parties, the subscriber should be informed of this possibility and of the recipient or the categories of possible recipients’.
44 After obtaining the information referred to in Article 12(1) of Directive 2002/58, the subscriber may – as is clear from Article 12(2) thereof – decide whether his or her personal data are to be included in a public directory and, if so, which personal data.
45 As the Court has already held, such prior information gives the subscriber concerned the opportunity to give consent to the publication of his or her personal data in public directories, such consent being necessary for the purposes of such a publication (see, to that effect, judgment of 5 May 2011, Deutsche Telekom, C-543/09, EU:C:2011:279, paragraphs 54 and 58).
46 The requirement to obtain the consent of the subscriber concerned for the purposes of publishing those data in directories is confirmed in Article 12(3) of Directive 2002/58, according to which Member States may require that for any purpose of a public directory other than the search of contact details of persons on the basis of their name, ‘additional consent be asked of the subscribers’.
47 However, as the Court has stated, it follows from a contextual and systematic interpretation of Article 12 of Directive 2002/58 that the consent under Article 12(2) relates to the purpose of the publication of personal data in a public directory and not to the identity of any particular directory provider. Accordingly, where the subscriber concerned has consented to his or her data being published in a directory with a specific purpose, he or she will generally not have standing to object to the publication of the same data in another, similar directory (judgment of 5 May 2011, Deutsche Telekom, C-543/09, EU:C:2011:279, paragraphs 61 and 62).
48 In that regard, recital 39 of Directive 2002/58 confirms that the passing of subscribers’ personal data to third parties is ‘subject to the condition that the data may not be used for other purposes than those for which they were collected’.
49 It follows that where a subscriber has been informed by a telephone service operator, such as Telenet, of the possibility that his or her personal data may be passed to a third-party undertaking, such as Proximus or other third parties, with a view to being published in a public directory, and where that subscriber has consented to the publication of those data in such a directory, renewed consent is not needed from the subscriber concerned for the passing of those same data by that operator or by that undertaking to another undertaking which intends to publish a printed or electronic public directory, or to make such directories available for consultation through directory enquiry services, if it is guaranteed that the data in question will not be used for purposes other than those for which the data were collected with a view to their first publication. The consent given under Article 12(2) of Directive 2002/58, by a subscriber who has been duly informed, to the publication of his or her personal data in a public directory relates to the purpose of that publication and thus extends to any subsequent processing of those data by third-party undertakings active in the market for publicly available directory enquiry services and directories, provided that such processing pursues that same purpose (judgment of 5 May 2011, Deutsche Telekom, C-543/09, EU:C:2011:279, paragraph 65).
50 However, as stated in recital 39 of that directive, if the party collecting the data from the subscriber or any third party to whom the data have been transmitted wishes to use the data for an additional purpose, the renewed consent of the subscriber is to be obtained either by the initial party collecting the data or by the third party to whom the data have been transmitted.
51 As regards the manner in which such consent must be indicated, it follows from point (f) of the second paragraph of Article 2 of Directive 2002/58, read in conjunction with Article 94(2) and Article 95 of the GDPR, that such consent must, in principle, meet the requirements under Article 4(11) of that regulation.
52 In the present case, Article 4(11) of the GDPR, which constitutes the provision applicable to the facts at issue in the main proceedings, defines the ‘consent of the data subject’ as requiring a ‘freely given, specific, informed and unambiguous’ indication of the data subject’s wishes in the form of a statement or of ‘a clear affirmative action’ signifying agreement to the processing of personal data relating to him or her.
53 It follows that such consent is necessary in order for the personal data relating to the subscriber of a telephone service operator to be included in directories.
54 Consequently, the publication of the personal data relating to the subscriber in question in directories such as those published by Proximus or by other providers can be regarded as lawful within the meaning of Article 6(1)(a) of the GDPR only if such consent exists, having been expressly given to the telephone service operator or to one of those providers of directories.
55 However, as has been noted in paragraph 49 above, such consent does not presuppose that, on the date on which it is given, the data subject is necessarily aware of the identity of all the providers of directories which will process his or her personal data.
56 In the light of the foregoing considerations, the answer to the first question is that Article 12(2) of Directive 2002/58, read in conjunction with point (f) of the second paragraph of Article 2 thereof and with Article 95 of the GDPR, must be interpreted as meaning that ‘consent’ within the meaning of Article 4(11) of the GDPR is required from the subscriber of a telephone service operator in order for the personal data of that subscriber to be included in directories published by providers other than that operator, and that that consent may be provided to that operator or to one of those providers.
The second question
57 By its second question, the referring court asks, in essence, whether Article 17 of the GDPR must be interpreted as meaning that the request by a subscriber to have his or her personal data withdrawn from directories constitutes making use of the ‘right to erasure’ within the meaning of that article.
58 It should first of all be noted that Proximus submits that Article 17 of the GDPR is not applicable to a provider of directories which, as in the present case, is not the subscriber’s telephone service operator and that a request, such as that referred to in the preceding paragraph, should, at most, have to be regarded as constituting a request for rectification within the meaning of Article 16 of that regulation. Accordingly, the second question referred for a preliminary ruling is inadmissible in that it is irrelevant to the case in the main proceedings.
59 However, the arguments put forward by that party relate, in essence, to the field of application and scope, and therefore to the interpretation, of the provisions of EU law to which the second question relates. Such arguments, which concern the substance of the question referred, cannot therefore, by their very nature, lead to the inadmissibility of the question (judgment of 13 January 2022, Minister Sprawiedliwości, C-55/20, EU:C:2022:6, paragraph 83).
60 It follows that the second question referred for a preliminary ruling is admissible.
61 In the first place, it should be noted that, under the second sentence of Article 12(2) of Directive 2002/58, subscribers must have, inter alia, the opportunity to have the personal data relating to them withdrawn from public directories.
62 However, the grant of such an opportunity to subscribers does not constitute, as regards the providers of directories, a specific obligation, within the meaning of Article 95 of the GDPR, which would make it possible to exclude the application of the relevant provisions of that regulation. As the Advocate General observed, in essence, in point 54 of his Opinion, Directive 2002/58 does not contain any indications as to the modalities, implementation and consequences of requests to obtain the withdrawal of personal data. Accordingly, as is apparent, moreover, from recital 10 of that directive, read in conjunction with Article 94 of the GDPR, the provisions of the GDPR may be applied in such a situation.
63 In the second place, it follows from Article 17(1)(b) and (d) of the GDPR that the data subject is to have the right to obtain from the controller the erasure of personal data concerning him or her and that the controller is to have the obligation to erase those data without undue delay, inter alia where the data subject ‘withdraws consent on which the processing is based according to point (a) of Article 6(1) … and where there is no other legal ground for the processing’ or even where ‘the personal data have been unlawfully processed’.
64 In that regard, first, it follows from the answer to the first question referred for a preliminary ruling that the publication of a subscriber’s personal data in directories is based on that subscriber’s consent.
65 Secondly, it is apparent from Article 6(1)(a) and Article 7(3) of the GDPR that such consent constitutes one of the necessary conditions for a finding that the processing of the personal data of the subscriber concerned is lawful, and that that consent may be withdrawn at any time and in a manner which is as easy as that which enabled the data subject to give such consent.
66 In the present case, when the subscriber requests that his or her data no longer be included in a directory, he or she is withdrawing his or her consent to the publication of those data. On the basis of the withdrawal of his or her consent, he or she obtains, in the absence of another legal ground for such processing, the right to request the erasure of his or her personal data from that directory pursuant to Article 17(1)(b) of the GDPR or, where the controller continues to publish those data unlawfully, pursuant to Article 17(1)(d) of that regulation.
67 In those circumstances, it must be concluded that the request by a subscriber to have his or her personal data withdrawn from directories may be regarded as making use of the ‘right to erasure’ of those data within the meaning of Article 17 of the GDPR.
68 That conclusion cannot be called into question by Proximus’ argument that such a request should be regarded as seeking to allow that subscriber to exercise his or her right to obtain from the controller the rectification of the personal data concerning him or her, pursuant to Article 16 of the GDPR. Under that provision, such a rectification is possible where those data are inaccurate and is intended to allow the data subject to have those data completed.
69 However, in the present case, a request for withdrawal of a subscriber’s data contained in a directory does not seek to replace inaccurate data with correct data or to complete incomplete data, but to withdraw the publication of correct data.
70 The fact that such a withdrawal takes the form, in the present case, of the mere adjustment of the code assigned to the subscriber concerned in Proximus’ database – from which that subscriber’s personal data are published in the directories – cannot prevent a request for withdrawal of personal data contained in those directories from being regarded as a ‘request for erasure’ within the meaning of Article 17 of the GDPR. As is apparent from the documents before the Court, the method of withdrawal provided for by the operator in question constitutes a purely technical or organisational measure which proves necessary to respond to the request for erasure of the data subject’s personal data and to prevent the disclosure of those data.
71 In the light of the foregoing considerations, the answer to the second question is that Article 17 of the GDPR must be interpreted as meaning that the request by a subscriber to have his or her personal data withdrawn from directories constitutes making use of the ‘right to erasure’ within the meaning of that article.
The third question
72 By its third question, the referring court asks, in essence, whether Article 5(2) and Article 24 of the GDPR must be interpreted as meaning that a national supervisory authority may require that a provider of directories, as controller, take appropriate technical and organisational measures to inform third-party controllers, namely the telephone service operator which has communicated its subscriber’s personal data to that provider and the other providers of directories to which that provider has itself supplied such data, of the withdrawal of the subscriber’s consent.
73 As a preliminary point, it should be noted that, in the present case, Proximus processed personal data of the complainant by publishing them and by communicating them to other providers of directories. Telenet, the complainant’s telephone service operator, also processed those data, inter alia by passing them on to Proximus. The same is true of the other providers of directories that received the complainant’s contact details from Proximus and that published them.
74 In addition, it should be noted, first, that, as has been pointed out in paragraph 20 above, although the Law on electronic communication requires telephone service operators to pass on the data relating to their subscribers to providers of public directories, those operators must, however, keep separate the data relating to subscribers who have indicated that they do not wish to be included in a directory so as to allow those subscribers to receive a copy of that directory without their data being included therein.
75 It is apparent from the documents before the Court that, in practice, it is usually to his or her telephone service operator that the subscriber gives his or her consent to the publication of his or her personal data in a directory, such consent making it possible for those data to be transferred to a third-party provider of directories. That provider may, in turn, communicate such data to other providers of directories on the basis of the same consent, those controllers thus constituting a chain in which each in turn processes the data in question independently on the basis of one and the same consent.
76 Secondly, it is also apparent from the documents before the Court that the update of Proximus’ database, which was intended to give effect to the withdrawal of the complainant’s consent, was erased as soon as the complainant’s telephone service operator sent Proximus a new list of data relating to its subscribers – for the purposes of publication of those data in the directories – which did not take into account the fact that the complainant had notified Proximus of the withdrawal of his consent.
77 In that context, the question thus arises whether a provider of directories such as Proximus, when a subscriber of a telephone service operator withdraws his or her consent to be included in the directories of that provider, must not only update its own database to take account of that withdrawal, but must also notify the withdrawal both to the telephone service operator which has communicated the data concerned to that provider and also to the other providers of directories to which that provider has itself forwarded such data.
78 In the first place, it should be recalled that Article 6(1)(a) of the GDPR provides that processing is to be lawful only if and to the extent that the data subject has given consent to the processing of his or her personal data for one or more specific purposes. However, it is apparent from the order for reference that the complainant withdrew his consent, within the meaning of Article 7(3) of that regulation, to the processing of his personal data for the purposes of their publication in directories. Following such a withdrawal, the processing of those data for the purposes of their inclusion in public directories, including that performed for the same purpose by the telephone service operators or by other providers of directories on the basis of the same consent, no longer has any legal ground and is thus unlawful in the light of Article 6(1)(a) of the GDPR.
79 In the second place, it should be recalled that, in accordance with Article 5(1)(a) and (2) of the GDPR, the controller must ensure that it is able to demonstrate that personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject.
80 As regards Article 24 of the GDPR, that provision requires that, taking into account the nature, scope, context and purposes of processing, the controller implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with that regulation.
81 As the Advocate General observed in point 67 of his Opinion, Article 5(2) and Article 24 of the GDPR impose general accountability and compliance requirements upon controllers of personal data. In particular, those provisions require controllers to take appropriate steps to prevent any infringements of the rules laid down in the GDPR in order to ensure the right to the protection of data.
82 From that point of view, Article 19 of the GDPR provides, inter alia, that the controller is to communicate any erasure of personal data carried out in accordance with Article 17(1) of that regulation to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
83 It follows from the general obligations laid down in Article 5(2) and Article 24 of the GDPR, read in conjunction with Article 19 thereof, that a controller of personal data, such as Proximus, must, by means of appropriate technical and organisational measures, inform the other providers of directories that have received such data from it of the withdrawal of the data subject’s consent addressed to it. In circumstances such as those set out in paragraph 76 above, such a controller must also ensure that the telephone service operator that has communicated those personal data to it is informed so that that operator amends the list of personal data that it automatically forwards to that provider of directories and keeps separate the data of its subscribers who have indicated their wish to withdraw their consent to those data being made public.
84 Where, as in the present case, various controllers rely on the single consent of the data subject in order to process his or her personal data for the same purpose, it is sufficient, in order for that data subject to withdraw such consent, that he or she contacts, for the purposes of the withdrawal requested, any one of the controllers which rely on that same consent.
85 As the Commission correctly observes, in order to ensure the effectiveness of the right of the data subject to withdraw his or her consent provided for in Article 7(3) of the GDPR and to ensure that the data subject’s consent is strictly linked to the purpose for which it was given, the controller to which the data subject has notified the withdrawal of his or her consent to the processing of his or her personal data is in fact required to communicate that withdrawal to any person who has forwarded those data to it and to the person to whom it has, in turn, forwarded those data. The controllers thus informed are then, in turn, obliged to forward that information to the other controllers to which they have communicated such data.
86 In that regard, it should, first of all, be noted that such an information obligation is intended to prevent any possible infringement of the rules laid down in the GDPR in order to ensure the right to the protection of data and thus forms part of the appropriate measures within the meaning of Article 24 of that regulation. Furthermore, as the Advocate General stated in point 68 of his Opinion, it also forms part of the requirement laid down in Article 12(2) of the GDPR, pursuant to which the controller must facilitate the exercise of the rights conferred on the data subject, inter alia, by Article 17 of that regulation.
87 Next, it must be found that the absence of such an obligation on the controller to communicate the withdrawal of the data subject’s consent could make the withdrawal of consent particularly difficult, since that data subject might consider himself or herself required to contact each of the operators. Such an approach would thus be contrary to Article 7(3) of the GDPR, which provides that it must be as easy to withdraw, as to give, consent to the processing of personal data.
88 Lastly, in accordance with the case-law referred to in paragraph 49 above, the consent given under Article 12(2) of Directive 2002/58, by a subscriber who has been duly informed, to the publication of his or her personal data in a public directory relates to the purpose of that publication and thus extends to any subsequent processing of those data by third-party undertakings active in the market for directories, provided that such processing pursues that same purpose.
89 It follows that, as the Advocate General observed in point 68 of his Opinion, since a provider of directories may rely on the consent given by a subscriber, to the processing of data for that same purpose, to another provider or to his or her telephone service operator, it must be possible for a subscriber, in order to withdraw consent, to contact any one of the providers of directories or that telephone service operator with a view to his or her contact details being withdrawn from directories published by all of those who rely upon his or her single expression of consent.
90 In the light of the foregoing considerations, the answer to the third question is that Article 5(2) and Article 24 of the GDPR must be interpreted as meaning that a national supervisory authority may require that the provider of directories, as controller, take appropriate technical and organisational measures to inform third-party controllers, namely the telephone service operator which has communicated its subscriber’s personal data to that provider and the other providers of directories to which that provider has itself supplied such data, of the withdrawal of the subscriber’s consent.
The fourth question
91 By its fourth question, the referring court asks, in essence, whether Article 17(2) of the GDPR must be interpreted as precluding a national supervisory authority from ordering a provider of directories – which has been requested by the subscriber of a telephone service operator to cease disclosing personal data relating to him or her – to take ‘reasonable steps’, within the meaning of that provision, to inform search engine providers of that request for erasure of the data.
92 In order to answer that question, it should be borne in mind that Article 17(2) of the GDPR imposes the obligation on the controller which has made the personal data public, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
93 As is apparent from recital 66 of the GDPR, the objective of that obligation is to strengthen the right to be forgotten in the online environment, and therefore specifically applies to information made available on the internet by search engine providers that process data published online.
94 In the present case, it is common ground that Proximus published, in its directory, the complainant’s personal data and, therefore, that that company must be regarded as a controller which has made such data public within the meaning of Article 17(2) of the GDPR.
95 Furthermore, it must be borne in mind, first, that, in accordance with settled case-law, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing’ of personal data within the meaning of Article 4(2) of the GDPR when that information contains personal data and, second, that the operator of that search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 4(7), and therefore also of Article 17(2), of that regulation (see, to that effect, judgment of 24 September 2019, GC and Others (De-referencing of sensitive data), C-136/17, EU:C:2019:773, paragraph 35 and the case-law cited).
96 Accordingly, in circumstances such as those at issue in the main proceedings, it must be concluded that a controller such as Proximus is required, under Article 17(2) of the GDPR, to ensure that reasonable steps are taken to inform search engine providers of the request addressed to it by the subscriber of a telephone service operator for erasure of his or her personal data. However, as the Advocate General observed in point 76 of his Opinion, in order to assess the reasonableness of the steps taken by the provider of directories, Article 17(2) of the GDPR provides that the available technology and the cost of implementation must be taken into account, a task that falls primarily upon the authority competent for such matters, subject to judicial review.
97 In the present case, it is apparent from the written observations lodged by the DPA, which have not been challenged on that point by the other parties to the present proceedings, that, during the second quarter of 2020, there were a limited number of search engine providers operating in Belgium. In particular, Google had a market share of between 90%, as regards desktop searches, and 99%, as regards smartphone and tablet searches.
98 In addition, as stated in paragraph 26 above, it is apparent from the documents before the Court that, in response to the subscriber’s request for his data not to be included in the directories of that provider, Proximus stated that it had not only withdrawn those data from the telephone directories and from the directory enquiry services, but that it had also contacted Google to have the relevant links to Proximus’ website deleted.
99 In the light of the foregoing considerations, the answer to the fourth question is that Article 17(2) of the GDPR must be interpreted as not precluding a national supervisory authority from ordering a provider of directories – which has been requested by the subscriber of a telephone service operator to cease disclosing personal data relating to him or her – to take ‘reasonable steps’, within the meaning of that provision, to inform search engine providers of that request for erasure of the data.
Costs
100 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Fourth Chamber) hereby rules:
1. Article 12(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in conjunction with point (f) of the second paragraph of Article 2 of that directive and with Article 95 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that ‘consent’ within the meaning of Article 4(11) of that regulation is required from the subscriber of a telephone service operator in order for the personal data of that subscriber to be included in publicly available telephone directories and directory enquiry services published by providers other than that operator, and that that consent may be provided to that operator or to one of those providers.
2. Article 17 of Regulation 2016/679
must be interpreted as meaning that the request by a subscriber to have his or her personal data withdrawn from publicly available telephone directories and directory enquiry services constitutes making use of the ‘right to erasure’ within the meaning of that article.
3. Article 5(2) and Article 24 of Regulation 2016/679
must be interpreted as meaning that a national supervisory authority may require that the provider of publicly available telephone directories and directory enquiry services, as controller, take appropriate technical and organisational measures to inform third-party controllers, namely the telephone service operator that has communicated its subscriber’s personal data to that provider and the other providers of publicly available telephone directories and directory enquiry services to which that provider has itself supplied such data, of the withdrawal of the subscriber’s consent.
4. Article 17(2) of Regulation 2016/679
must be interpreted as not precluding a national supervisory authority from ordering a provider of publicly available telephone directories and directory enquiry services – which has been requested by the subscriber of a telephone service operator to cease disclosing personal data relating to him or her – to take ‘reasonable steps’, within the meaning of that provision, to inform search engine providers of that request for erasure of the data.
[Signatures]
* Language of the case: Dutch.