News
Am I My Brother’s Keeper?
Understanding the Importance of Data Protection Compliance Management in Processing Chains: Key Takeaways from the CJEU’s “Proximus” Judgement C-129/21
Companies’ requirement to take appropriate measures to prevent any breaches of GDPR obligations is a part of the accountability principle of Article 5(2) of the GDPR - says the CJEU. This clarifies the data protection compliance obligations that companies must fulfill and extends them to processing chains.
- If multiple controllers rely on a shared global legal basis, losing the legal basis for one controller results in the loss of legal basis for all controllers (referred to as the "All for one and one for all" principle).
- Controllers are required to establish technical and organizational measures to inform other controllers when data subjects exercise their rights ("Controller's right to know").
- Controllers must inform third parties, such as search engine operators, to remove information based on personal data that is no longer allowed to be processed by the controller ("general clean up").
Facts of the decision:
The plaintiff is a Belgian telecommunications provider. They operate publicly accessible phone directories, in which the names, addresses, and phone numbers of users are listed. The plaintiff received some of this data from third-party providers based on consent, which was also the basis for the sharing of the data. The plaintiff also shared the data with third-party phone directory providers.
The complainant is a subscriber of a telephone service provider that does not offer phone directories. However, this provider regularly transmitted data of its subscribers to the plaintiff.
In the disputed case, the complainant requested the plaintiff not to list their data in the directory. Initially, the plaintiff complied. However, due to a technical error, the data was again listed as non-confidential in the next update of their records and accordingly appeared in their public directories.
Upon further request for deletion by the complainant, the plaintiff deleted the entry. However, the complainant still complained to the Belgian data protection authority, which imposed a fine of €20,000 on the plaintiff for violating Art. 6 in conjunction with Art. 7 GDPR and Art. 5 (2) in conjunction with Art. 24 GDPR. The authority also requested that the plaintiff take further remedial measures.
The plaintiff appealed this decision to the Brussels Court of Appeal, which referred several questions to the CJEU for the interpretation of Art. 5, 17, and 24 GDPR.
With its third question, the referring court essentially seeks to clarify whether a national supervisory authority can decide, under Article 5(2) of the EU General Data Protection Regulation (GDPR) and Article 24 of the GDPR, that the data controller must take appropriate technical and organizational measures to inform third-party controllers, namely the telecommunications provider and other providers of subscriber directories, who have received data from this primary controller, about the revocation of the data subject's consent in accordance with Article 6 of the GDPR in conjunction with Article 7 of the GDPR.
CJEU: New Accountability and Compliance Obligations
On the third referral question, the Advocate General and the Court have recently emphasized that they take the terms "control" and "accountability" literally. Let's take a step back and take a closer look at a decision from last year.
1. The GDPR game changer: How C-175/20 shifted the burden of proof in IT system design
In the case of C-175/20 - "S" SIA/Valsts ieņēmumu dienests (until today not available in English on the official website of the CJEU), the court made an important determination. They concluded that Article 5(2) of the GDPR involves a procedural shift in the burden of proof. This shift extends not only to the actual operation but also to the design phase of information technology systems. This means that when it comes to compliance with data protection principles outlined in Article 5 of the GDPR, as well as their specifications like Article 25 ("Privacy by Design, Privacy by Default"), the onus is on the developers and organizations involved.
Since the decision has not been published in English on the CJEU's website to date, here is a translation from the French version provided independently.
Para. 77
In this context, it should be noted that, according to the principle of accountability enshrined in Article 5(2) of Regulation 2016/679, the data controller must be able to demonstrate compliance with the principles for the processing of personal data as set out in paragraph 1 of that article.
Para. 78
Consequently, it is the responsibility of the Latvian tax administration to prove that, in accordance with Article 25(2) of this regulation, it has made efforts to minimize the amount of personal data collected as much as possible.
Para. 81
As derived from Para. 77 above, the burden of proof in this regard lies with the Latvian tax administration.
The German Federal Administrative Court (Bundesverwaltungsgericht, highest administrative court in Germany) immediately applied the CJEU's case law to national cases (judgment of 2 March 2022 - 6 C 7/20, para. 50):
This provision not only establishes accountability and reporting obligations of the data controller to the supervisory authority, but also regulates, according to the case law of the Court of Justice of the European Union, the burden of proof in cases where compliance with the principles of Article 5(1) of the GDPR is in dispute between the controller and the data subject in a legal proceeding.
It is not an exaggeration to say that the CJEU's decision will have a lasting impact on procedural laws in all jurisdictions.
For example, when creating a new social media platform, the designers must ensure that user privacy is embedded within the system's architecture from the very beginning, rather than as an afterthought. To achieve this, designers, developers, and organizations involved must adhere to several technical and organizational strategies. To give an example:
- Firstly, adopting secure development practices, such as regular security audits and vulnerability assessments, contributes to the platform's overall security and reduces the risk of data breaches. This approach aligns with the GDPR's emphasis on proactive security measures.
- Secondly, do not underestimate the importance of integrating privacy-aware APIs and third-party services. This involves carefully evaluating the data protection policies of third-party providers and minimizing data sharing to protect user privacy.
- Thirdly, implement clear privacy settings and user consent mechanisms, giving users control over their data.
All of the requirements of Art. 5 GDPR (including Art. 25 GDPR et al.) must be provable by the data controller in court, using documents, witnesses, or expert testimony. The effort that controllers must undertake to provide legally admissible evidence of compliant behavior has significantly increased due to this decision. Assistance in this regard could be provided by the instrument of a Data Protection Impact Assessment (DPIA), if it is applied correctly and, most importantly, in a timely manner. DPIAs can play a crucial role in the early-stage application of Privacy by Design. By conducting a DPIA at the beginning of a project or system development, organizations can identify potential privacy risks and address them proactively. This early assessment allows for the integration of privacy-enhancing measures into the design and development process, ensuring that data protection principles are embedded throughout the system's lifecycle.
2. Shifting gears in compliance management: How the CJEU's C-129/21 decision reinforces data controllers' obligations
Article 5(1)(a) and (2) of the GDPR stipulate that processing of personal data is lawful only if the data controller can demonstrate that it is being done lawfully and in good faith. Additionally, Article 24 of the GDPR mandates that the data controller must adopt suitable technical and organizational measures to both ensure and demonstrate that their data processing adheres to the requirements of the regulation. In the current case, the CJEU goes beyond previous rulings and places an additional responsibility on the data controller to notify all parties involved in the processing chain (in this instance, the data recipients) when data subject rights are exercised, specifically in the context of revoking consent. This is intended to enhance the effectiveness of data subject rights.
If there is a group of controllers who obtain their permission to process data from the same "global" consent, then by exercising data subject rights (such as "revocation of consent") against one of the controllers, the consent for all controllers is revoked. The basic concept can be summarized as follows: if the legal basis (the "global" consent) is withdrawn from one controller, it is automatically invalidated for all controllers.
Although there is no explicit obligation, the CJEU concludes that enforcing data subject rights across multiple controllers processing data requires, at a minimum, an obligation to provide information about the exercised data subject rights between the controllers (as stated in paragraph 85 of the “Proximus” decision). To avoid time-consuming debates between the contracting parties about the interpretation of this decision, it is advisable to revise existing data processing agreements and include this obligation explicitly.
The court correctly points out that these technical and organizational measures are not limited to the immediate parties involved, but also encompass third parties who have indirectly benefited from the original data processing (paragraph 91 of the “Proximus” decision):
Other recipients, including search engine operators, should also be notified of requests for data erasure by data subjects, so that they can take appropriate action and remove personal data from their search results.
It is worth highlighting that the CJEU regards these obligations not as an interpretation of the provisions on joint controllership under Article 26 of the GDPR, but rather as an inherent obligation of each data controller under Article 24 of the GDPR. This provides a glimpse of how rigorous courts may become in the future when dealing with any diffusion of responsibility in processing chains. This will be the case even if there is controversy and potentially unresolved questions about whether and to what extent joint responsibility for certain processing operations exists, which may need to be referred to the CJEU for clarification.
Lawyers, management consultants, auditors, and certification service providers will have a significant amount of work to do as a result of this decision.
This is crucial because evading liability for compliance violations, including the direct liability of directors and officers, can only be achieved by establishing and vigilantly monitoring appropriate structures, such as a robust information security and data protection management system. Implementing a "Plan-Do-Check-Act" (PDCA) process is essential for maintaining these structures. For example, a company might create a comprehensive data protection management system, execute the necessary policies and procedures, routinely assess their effectiveness, and make adjustments as needed to ensure ongoing compliance with relevant regulations. This proactive approach not only mitigates potential risks but also safeguards the organization and its leadership from legal repercussions.
Furthermore, the reversal of the burden of proof under data protection law concerning the fulfillment of these compliance obligations poses a substantial challenge in terms of resource allocation for data protection officers, data protection coordinators, operational data protection teams, and in-house legal and IT experts. This shift means that these professionals must now proactively demonstrate their organization's compliance, rather than merely react to potential violations. For example, data protection teams and officers may need to invest more time in training employees, conducting regular audits, and preparing thorough documentation to prove adherence to regulations.
As a result, organizations must be prepared to allocate additional resources to ensure that their data protection and compliance teams and officers have the necessary support to meet these heightened expectations and successfully navigate this new legal landscape.
Article provided by INPLP member: Peter Hense (Spirit Legal)
Co-Author: Tea Mustać
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010