provided for in Article 15(2) of Directive 2002/58, read
together with Article 22 of Directive 95/46, where their rights
have been infringed (see, by analogy, judgments of 7 May
2009, Rijkeboer, C-553/07, EU:C:2009:293, paragraph 52,
and of 6 October 2015, Schrems, C-362/14, EU:C:2015:650,
paragraph 95).
122. With respect to the rules relating to the security and
protection of data retained by providers of electronic
communications services, it must be noted that Article 15(1) of
Directive 2002/58 does not allow Member States to derogate
from Article 4(1) and Article 4(1a) of that directive. Those
provisions require those providers to take appropriate
technical and organisational measures to ensure the effective
protection of retained data against risks of misuse and against
any unlawful access to that data. Given the quantity of retained
data, the sensitivity of that data and the risk of unlawful access
to it, the providers of electronic communications services must,
in order to ensure the full integrity and confidentiality of that
data, guarantee a particularly high level of protection and
security by means of appropriate technical and organisational
measures. In particular, the national legislation must make
provision for the data to be retained within the European
Union and for the irreversible destruction of the data at the end
of the data retention period (see, by analogy, in relation to
Directive 2006/24, the Digital Rights judgment, paragraphs 66
to 68).
123. In any event, the Member States must ensure review, by an
independent authority, of compliance with the level of
protection guaranteed by EU law with respect to the protection
of individuals in relation to the processing of personal data,
that control being expressly required by Article 8(3) of the
Charter and constituting, in accordance with the Court’s
settled case-law, an essential element of respect for the
protection of individuals in relation to the processing of
personal data. If that were not so, persons whose personal data
was retained would be deprived of the right, guaranteed in
Article 8(1) and (3) of the Charter, to lodge with the national
supervisory authorities a claim seeking the protection of their
data (see, to that effect, the Digital Rights judgment,
paragraph 68, and the judgment of 6 October 2015, Schrems,
C-362/14, EU:C:2015:650, paragraphs 41 and 58).
124. It is the task of the referring courts to determine whether
and to what extent the national legislation at issue in the main
proceedings satisfies the requirements stemming from
Article 15(1) of Directive 2002/58, read in the light of
Articles 7, 8 and 11 and Article 52(1) of the Charter, as set out
in paragraphs 115 to 123 of this judgment, with respect to both
Page 29