Withdrawal of Consent – What Steps Must a Controller Take?
The CJEU has recently held that controllers must implement technical and organisational measures to inform other controllers with whom they shared personal data that the data subject to whom the data relates, has made an erasure request.
The case involves a complainant who is a subscriber to the Belgian telephone service operator, Telenet. Telenet transfers telecom subscriber data to directory providers, including Proximus.
In January 2019, the complainant made a request to Proximus to unsubscribe him from both Proximus’s and third-parties’ lists of telecom subscribers, which made certain personal data of subscribers publicly available. Following the request, Proximus changed the status of the complainant in its computer system so that the complainant’s contact details would no longer be made public.
Proximus subsequently received an update on the complainant’s data from Telenet, which contained new data on the complainant. This information was processed automatically by Proximus and was made public.
After verifying that his phone number had been published in both Proximus’s directory and third-party directories, the complainant again requested that Proximus remove his data from directories and made a complaint to the Belgian DPA. On the same day, Proximus replied to the complainant, withdrew the data concerned from the directories and contacted Google to have the relevant links to Proximus’ website deleted. Proximus also informed the complainant that it had forwarded the complainant’s contact details to other providers of directories and had informed those providers of the complainant’s erasure request.
In July 2020, the Belgian DPA imposed corrective measures on Proximus and a fine of EUR 20,000 for violating Articles 5(2) (accountability), 6 (lawful basis), 7 (consent) and 24 (responsibility of the controller) GDPR.
Proximus appealed the decision before the Brussels Court of Appeal, which referred a number of questions to the CJEU for a preliminary reference.
Obligations on a controller following the withdrawal of consent
The CJEU found that subscribers must have the opportunity to have their personal data withdrawn from telecom directories and that where such processing is based on consent, such a request by a subscriber may be regarded as an exercise of the right of erasure available under Article 17(1)(b) GDPR.
Article 19 GDPR places an obligation on controllers to communicate any erasure of personal data to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
In this case the CJEU went further, holding that Articles 5(2) and 24 GDPR require that a controller, such as Proximus, must implement appropriate technical and organisational measures to inform other directory providers to whom it provided those data, of the withdrawal of the data subject’s consent.
The Court found that where different controllers rely on the sole consent of the data subject to process personal data of the data subject for the same purpose, it is sufficient for the data subject’s withdrawal of consent to be addressed to any of the controllers relying on the consent. The controller that receives the withdrawal request is obliged to transmit this information to the other controllers to whom they communicated the data subject’s personal data.
Article 17(2) GDPR provides that where a controller has made personal data public (that the controller is obliged to erase under Article 17(1) GDPR in response to an erasure request), the controller, taking account of the available technology and the costs of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested erasure of any links to, or copy or replication of, those personal data.
The Court found that in circumstances such as in this case, a controller is required under Article 17(2) GDPR to ensure reasonable steps are taken to inform search engine providers of the erasure request. The Court noted that in order to assess the reasonableness of the steps, account should be taken of available technology and the cost of implementation.
The Court concluded that Article 17(2) GDPR must be interpreted as not precluding a data protection authority from ordering a directory provider, whom the subscriber of a telecom service operator requested to cease publishing his personal data, to take ‘reasonable steps’ to inform search engine providers of the request for erasure.
Whilst the case is specific to its facts, it gives an interesting insight into the obligations the CJEU consider apply to controllers when a data subject has made an erasure request by withdrawing his or her consent to the processing of personal data and the measures a controller must take when the personal data has been communicated to other controllers.
The authors would like to thank Emma Mintern for her contribution to this briefing.