CURIA - Documents
11 of 58
http://curia.europa.eu/juris/document/document_print.jsf?docid=2320...
3.
For the purpose of marketing electronic communications services or for the provision of value
added services, the provider of a publicly available electronic communications service may process
the data referred to in paragraph 1 to the extent and for the duration necessary for such services or
marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users
or subscribers shall be given the possibility to withdraw their consent for the processing of traffic
data at any time.
…
5.
Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to
persons acting under the authority of providers of the public communications networks and publicly
available electronic communications services handling billing or traffic management, customer
enquiries, fraud detection, marketing electronic communications services or providing a value
added service, and must be restricted to what is necessary for the purposes of such activities.
…’
20
Article 9(1) of that directive, that article being headed ‘Location data other than traffic data’,
provides:
‘Where location data other than traffic data, relating to users or subscribers of public
communications networks or publicly available electronic communications services, can be
processed, such data may only be processed when they are made anonymous, or with the consent of
the users or subscribers to the extent and for the duration necessary for the provision of a value
added service. The service provider must inform the users or subscribers, prior to obtaining their
consent, of the type of location data other than traffic data which will be processed, of the purposes
and duration of the processing and whether the data will be transmitted to a third party for the
purpose of providing the value added service. …’
21
Article 15 of that directive, headed ‘Application of certain provisions of Directive [95/46]’, states:
‘1.
Member States may adopt legislative measures to restrict the scope of the rights and
obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this
Directive when such restriction constitutes a necessary, appropriate and proportionate measure
within a democratic society to safeguard national security (i.e. State security), defence, public
security, and the prevention, investigation, detection and prosecution of criminal offences or of
unauthorised use of the electronic communication system, as referred to in Article 13(1) of
Directive [95/46]. To this end, Member States may, inter alia, adopt legislative measures providing
for the retention of data for a limited period justified on the grounds laid down in this paragraph.
All the measures referred to in this paragraph shall be in accordance with the general principles of
[Union] law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.
…
2.
The provisions of Chapter III on judicial remedies, liability and sanctions of Directive [95/46]
shall apply with regard to national provisions adopted pursuant to this Directive and with regard to
the individual rights derived from this Directive.
…’
Regulation 2016/679
22
Recital 10 of Regulation 2016/679 states:
‘In order to ensure a consistent and high level of protection of natural persons and to remove the
obstacles to flows of personal data within the Union, the level of protection of the rights and
2/15/2021, 4:58 PM