ECJ ruling: Personal data must be easier to delete

The extensive deletion of personal data from directories such as telephone books could become much easier in the future.

If telephone providers have passed on customer data to other providers and search engines, they must also ensure that the entries there are deleted if the customers ask them to do so.

The European Court of Justice (ECJ) announced on Thursday in Luxembourg (Case C-129/21) that they do not have to apply for deletion from each company individually.

The background to the judgment is a lawsuit against the Belgian telephone provider Proximus, which offers, among other things, telephone information services and directories with personal data such as names, addresses and telephone numbers.

These are transmitted to Proximus by other providers and Proximus also forwards them to other providers and search engines such as Google.

So far, this only requires a single consent from the customer.

Customers must consent

A customer is now suing because his new telephone number was in such a directory without his consent.

Proximus fought back, arguing that the customer's consent was not required for the publication of his data in telephone directories.

Rather, they would have to apply for not being listed themselves using a so-called opt-out procedure.

As long as this does not happen, data does not have to be deleted.

The ECJ did not follow this.

Before the data is published, customers must give their consent.

With this consent, other companies could then also process the data, provided that the same purpose is being pursued.

Equally, it is then sufficient to revoke your consent just once - whether to your own provider or to one of the other companies that use the data.

The telephone providers are then obliged to forward the revocation and ensure that the data is deleted.