Imagine the following case: a data subject makes a request to a telephone provider to delete the data, the telephone company must ensure that the personal data is completely deleted.
The data subject is not obliged to ask each company individually – this was decided by the European Court of Justice in a ruling of 27 October 2022 (Case C-129/21 “Proximus”).
The deletion of personal data from directories such as telephone directories could thus become much easier for data subjects in the future, because if customer data was passed on by telephone providers to other providers and search engines, these are also obliged to delete their entries if the customers ask them to do so.
Context:
The case decided by the European Court of Justice, Proximus, a Belgian provider of telephone directories, had received the address data of a data subject from another company, which in return had received the data from the data subject on the basis of consent. The data subject’s consent authorised the disclosure of the data to third parties such as Proximus.
The data subject had then contacted Proximus and requested that his address not be displayed in their directories as well as in the directories of Proximus’ partners. However, after the data subject’s request had been complied with, the data subject’s address reappeared in the Proximus directory due to a “data update” by the company that had originally submitted the data subject’s address to Proximus.
Upon a second request from the data subject, Proximus deleted the data again and informed the data subject that it had forwarded the request to all third parties who had received the data subject’s data from Proximus.
The data subject then complained to the data protection authority, which imposed a fine on Proximus as a result of the incident. Proximus then appealed against this decision. Proximus argued that the customer’s consent was not required for the publication of their data in telephone directories. Rather, this had to be applied for expilcitly via an opt-out procedure. Until then, there was actually no obligation to delete the data.
The ECJ did not follow this argumentation
The customers would therefore have to give their official consent before the data is published. The consent also entitles other companies to process the data – if the same purpose is pursued and if they were named in the original consent request – but it is also sufficient to revoke the consent only once.
In summary, the European Court of Justice thus held that a data controller who receives notice that a data subject has withdrawn consent – either directly from the data subject or from another party – must, pursuant to articles 5(2) and 24 and article 19 GDPR, inform all of its data recipients of the data subject’s withdrawal of consent and, conversely, all of its data providers (!) must also inform it of the data subject’s withdrawal of consent. The ruling states that the data subject can declare the withdrawal of his consent to any data controller in the processing chain.
Conclusion and significance for the online marketing industry
This is the first time that the ECJ has dealt with the notification obligation in art. 19 GDPR in detail. The court takes this opportunity to define and significantly expand the scope of the notification obligation. Specifically, art. 19 GDPR states that controllers must notify to third parties any rectification or erasure of personal data as well as any restriction of processing pursuant to art. 16 17(1) and 18.
While this provision has been largely ignored by the online advertising industry in the past, the new ruling increases its relevance for compliance with the GDPR by advertising technology providers and their partners and clients – and goes even further by applying the notification obligation also to the data controller’s own data providers.
Furthermore, the European Court of Justice states that the data subject can withdraw consent from any data controller in the processing chain. This is reminiscent of the provision in art. 26(3) of the General Data Protection Regulation, which similarly extends the rights of the data subject to cases of joint control. At the same time, the court did not address the issue of joint control in online advertising in this ruling.
It is safe to say that companies operating with “single consent” will need to re-evaluate their DPA compliance mechanisms following this ruling. In particular, companies are obliged to take technical and organisational measures to implement consent requests coming directly from data subjects or forwarded by other parties through different channels and to inform their respective data recipients and data providers automatically and correctly.
In case of non-compliance, affected companies face significant fines if they cannot prove that they have taken the necessary measures to reliably implement the notices and signals to withdraw consent and to correctly inform both data recipients and data providers.