1. The providers of number-based interpersonal communications services shall obtain the consent of end-users who are natural persons to include their personal data in the directory and for inclusion of such data per category of personal data, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory.
1aa. Notwithstanding paragraph 1, Member States may provide by law that the inclusion of personal data of an end-user who is a natural person in a publicly available directory can take place provided that he end-user who is a natural person shall have the right to object to such inclusion.
2. The providers of number-based interpersonal communications services shall inform end-users who are natural persons whose personal data are in the directory of any search functions that is not based on name or number in the directory and obtain the consent of end-users’ before enabling such search functions related to their own data.
3. The providers of number-based interpersonal communications services shall provide end-users that are legal persons with the possibility to object to data related to them being included in the directory.
3a. The providers of number-based interpersonal communications services shall give end-users the means to verify, correct and delete data included in a publicly available directory.
3aa. Notwithstanding paragraphs 1aa to 3a, Member States may provide by law that the requirements under those paragraphs apply to providers of publicly available directories, in addition to or instead of, providers of number-based interpersonal communications services.
4. The possibility for end-users not to be included in a publicly available directory, or to verify, correct and delete any data related to them shall be provided free of charge.
4a. Where the personal data of the end-users of number based interpersonal communications services have been included in a publicly available directory before this Regulation enters into force, the personal data of such end-users may remain included in a publicly available directory, including version with search functions, unless the end-users have expressed their objection against their data being included in the directory or against the use of available search functions related to their data.
(30) Publicly available directories means any directory or service containing information on end-users of number-based interpersonal communication services such as name, phone numbers (including mobile phone numbers), email address, home address and includes inquiry services, the main function of which is to enable to identify such end-users. End-users that are natural persons should be asked for consent before their personal data are included in a directory, unless Member States provide that such end-users have the right to object to inclusion of their personal data. The legitimate interest of legal persons requires that end-users that are legal persons have the right to object to the data related to them being included in a directory. End-users who are natural persons acting in a professional capacity should be treated as legal persons for the purpose of the provisions on publicly available directories.
(31) Providers of number-based interpersonal communications services should inform the end-users who are natural persons of the search functions of the directory and obtain their consent before enabling such search functions related to their personal data. The categories of personal data included in the directory and the categories of personal data on the basis of which the end-user’s contact details can be searched should not necessarily be the same.
Art. 15 ePrivacy Regulation protects end-users´ privacy with respect to personal data. It refers to the inclusion of personal data into publicly available directories by the providers of number-based interpersonal communications services, as defined in Art. 4 Sec. 1 lit. b ePrivacy Regulation in conjunction with Art. 2 Sec. 16 European Electronic Communications Code Directive (‘EECC’). The regulation corresponds the finding that end-users should have the right to decide, to what extent such inclusion corresponds their will of disclosing data, in particular their name, telephone number and address. Directories of subscribers to electronic communications services are widely distributed and public, which results in a specifically intensified interference with privacy. In order to allow for related social advantages, respective regulation is needed, providing a legal frame of creating and making available the required data.
Art. 15 ePrivacy Regulation correlates its predecessor, Art. 12 ePrivacy Directive, which had already regulated this issue in an almost identical way. Consequently, there should be no substantial changes in national legal systems. Both provisions include mainly three stipulations: On a first step, they pertain to the inclusion of personal data. On a second step they regulate related search functions, as far as such data is made available online. If end-users, even though having consented or not objected inclusion of their data, disapprove of their concrete way of presentation, providers must thirdly allow for a correction or deletion. With regard to the (rather confusing) arrangement of the norm, these three core-stipulations should be kept in mind and order the following comments.
Allocation within Chapter III (end-users´ rights to control electronic communications), withal, appears systematically inaccurate, since personal data, included in directories, does not represent electronic communications content or metadata, but rather locate outside the actual communications context. Telephone numbers, names and addresses make communication possible in the first place and are therefore located upstream of it. Consequently, these must not be considered communication data in the narrower sense, but rather personal data related to communication. Thus, assignment to Chapter III is to be understood as a stopgap solution, particularly, since better alternatives, such as Chapter II (protection of electronic communications of end-users and of the integrity of their terminal equipment), turn out to be equally improper.
Inclusion of names, addresses and telephone-numbers, as well as conceivable other information to publicly available directories represent processing of information, which relates to an identified or identifiable natural person, i.e. to personal data in the meaning of Arts. 2 Sec. 1 and 4 Sec. 1 et seq. GDPR. Consequently, the GDPR´s stipulations must be complied with to the extent, no special provisions of Art. 15 ePrivacy Regulation are pertinent (cf. Art. 95 ePrivacy Regulation). Pursuant to Art. 15 in conjunction with Art. 1 Sec. 3 ePrivacy Regulation, that applies to natural persons and, as far as a consent-requirement in the sense of Art. 4a Sec. 1 ePrivacy Regulation is concerned, mutatis mutandis to legal persons.
Providers of number-based interpersonal communications services are required to heed the will of their end-users, both natural (Sec. 1) and legal (Sec. 3), when including their personal data in a publicly available directory. While natural persons principally need to provide their consent, legal persons can only object to their inclusion.
According to Recital 30 ePrivacy Regulation, a publicly available directory is defined as any directory or service containing information on end-users of number-based interpersonal communication services, such as name, telephone number (including mobile phone numbers), email address or home address. A classic example for directories is made with reference to telephone books. However, the term is also broader and encompasses other registers, providing more than a pure list of telephone numbers and addresses, as for instance industry books (e.g. “yellow pages”). From a technical point of view, that includes electronic registers providing digital access to information, as for instance (and nowadays most importantly) online directories. If set up in this manner, directories may moreover include specific inquiry services, allowing for a term-specific search. That may facilitate assignability of lacking information, as for instance in cases, where only a number is present, and thus allow to identify their related end-user.
A directory or service is public, if anyone can access its content either by opening an (analogue) page or displaying it digitally. Withal, the entire content must be available at once, since otherwise the directory only partially qualifies as public and does, hence, not subsume under Art. 15 Sec. 1 ePrivacy Regulation. For instance, customer and subscriber lists are no publicly available directories, even though information might be requested and, on a case-by-case basis, individually provided by the service provider. The same applies to information services, which both only allow for a request of single information and are moreover available only during service hours. On the other hand, it is harmless if, for example, an online service does not (optically) make the entire list available, but only permits an individual query, provided that this merely simulates a correspondingly limited search in the analogue directory from a practical point of view and is therefore functionally equivalent. In this regard, the term ‘public’ equals the term ‘published’. What is more, the possibility of access alone suffices publicity, i.e. an actual access by anyone and at the same time is not required. Consequently, also services, which require special technical requisites beforehand, such as specific terminal equipment or WiFi-access, are public, as long as such requisites can be acquired by anyone and on equal terms.
The inclusion of natural persons´ data into publicly available directories is subject to a two-fold stipulation under Art. 15 Sec. 1 and Sec. 1aa ePrivacy Regulation, which principally requires an end-user´s consent and can be replaced by a legal basis in the course of national legislation. Natural persons in the meaning of Art. 4 Sec. 1 lit. a ePrivacy Regulation in conjunction with Art. 4 Sec. 1 GDPR are principally defined as all living mankind, regardless of their age and nationality. As Recital 30 ePrivacy Regulation states, Art. 15 ePrivacy Regulation narrows down this broad understanding and excludes such natural persons acting in a professional capacity. These should be treated as legal persons instead.
a) Consent, Art. 15 Sec. 1
According to Art. 15 Sec. 1 ePrivacy Regulation, inclusion of personal data into a publicly available directory requires obtainment of consent by the concerned end-user. Pursuant to Art. 4 Sec. 1 lit. a ePrivacy Regulation, that pertains to the terms and standards of consent under Art. 4 No. 11; 6 Sec. 1 lit. a; 7 and 8 GDPR. Accordingly, consent needs to include both the listing of information itself and the inclusion of such data per category, since these represent separate ways of processing. Both might be given in the course of a single consenting-action.
Yet, with regard to the principle of informedness and definiteness pursuant to Art. 4a Sec. 1 lit. a ePrivacy Regulation in conjunction with Arts. 4 Sec. 11 and 6 Sec. 1 lit. a GDPR requires to point out awareness of the dual nature of consent to the end-user.
Consent only comes into consideration with regard to data relevant for the purpose of the directory as determined by the provider of the directory. Irrelevant data is conversely excluded from the outset. Telephone directories, for instance, might subsequently not ask an end-user for particular categories of data (as enlisted e.g. by Art. 9 Sec. 1 GDPR), such as marital statuses or political affiliation.
b) Legal inclusion, Art. 15 Sec. 1aa
Art. 15 Sec. 1aa ePrivacy Regulation represents an exception to the principal of the requirement to obtain prior consent for the inclusion of personal data into publicly available directories. Accordingly, Member States may provide a legal basis for this, provided that the end-user, being a natural person, has the right to object. It follows the idea of balancing out interests between the public welfare resulting from a functioning telecommunication infrastructure and the right to privacy. Consequently, including personal data into a directory might become subject to further prerequisites, such as a gradation of admissibility. Thus, there might be a distinction between data, which is made publicly available data subject only to an objection and such, requiring prior approval.
A respective example for national legislation might be given by German law, which in its § 17 Sec. 1 Telecommunications Telemedia Data Protection Act (TTDSG) already provides for a respective stipulation, requiring prior request by the party concerned. Included data will at first only encompass the name and telephone number and needs an additional request for the inclusion of other information such as profession or industry (see § 17 Sec. 1 S. 3 TTDSG). Further users of the same connected line can be included, moreover, if the applicant proves their explicit consent (see § 17 Sec. 1 S. 5 TTDSG). In this regard it might prove problematic, however, that Art. 15 Sec. 1aa ePrivacy Regulation essentially stipulates a legal basis for further restrictions of end-user rights. This can be seen as a result from the above-mentioned balancing of interests. Legislation intends to liberate the market for public directories in the interest of a functioning telecommunication infrastructure. A further expansion of end-user rights in the course of the replacement of the general prohibition combined with a (passive) consent-reservation by a general prohibition with (proactive) request-requirement, to the contrary, represents a further hurdle for the inclusion of personal data and therefore runs counter to this. Consequently, a literal interpretation of § 17 Sec. 1 TTDSG is hardly compatible with sense and purpose of Art. 15 Sec. 1aa ePrivacy Regulation and can therefore most probably not stand in the course of its entry into force. Without entering into the debate on the permissibility of implementation through legal interpretation in conformity with Union law, especially with a view to the specific features in the context of the voluntary exercise of the Member States’ scope for action, there is, hence, a prima facie need for improvement.
 Ziebarth, in: Sydow, DSGVO (2018), Art. 4 Rec. 10; Dammann, in: Simitis, BDSG (2011), § 3 Rec. 17;
 Buchner/Petri, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 6 Rec. 20.
 Cf. Schulz, in Gola, DS-GVO (2018), Art. 6 Rec. 21.
 Cf. in this regard only Nettesheim, in: Grabitz/Hilf/Nettesheim, Das Recht der EU, Art. 288 TFEU Rec. 135 at the end.
Legal persons are entities with legal personality, which are granted specific legal rights or made subject to obligations and restrictions. This will, for example, apply to entities like the UK ‘Limited’ (Ltd.) or the German ‘Gesellschaft mit beschränkter Haftung’ (GmbH). In comparison to natural persons, Art. 15 Sec. 3 ePrivacy Regulation attributes legal persons a significantly more limited remedy to the extent, that the latter might only object to the inclusion of their data in a publicly available directory, while the earlier generally need to consent such inclusion in the first place. Justification for this differentiation is provided by the structural differences between both actors and the scope of respective personality rights. While legal persons develop their actions in the social sphere and are structurally oriented towards it, natural persons move in different spaces, namely the intimate, private and social. Corresponding to the fundamental rights significance and quality of these spheres it is therefore necessary to also differentiate with regard to the legal remedies, as within the framework of privacy and data protection, these ultimately represent a direct outflow of the right of personality. As natural persons are, hence, entitled to a qualitatively stronger protection by the fundamental right to personality, this justifies the less effective protection of legal persons within the scope of Art. 15 Sec. 3 ePrivacy Regulation. This conclusion is also supported by the observation that in national legal systems, legal entities are regularly obliged to publicly disclose their corporate structure and registered office within commercial registers from the outset and might therefore only claim a diminished interest in additional protection of data. That is not only, because a substantial part of it has already been disclosed. But also, in view of the lower visibility of the persons acting “behind” a legal entity, publicly available directories help to further reduce uncertainty in legal relations. The basic registrability under Art. 15 Sec. 3 ePrivacy Regulation with the possibility of objection is justified in front of this backdrop.
Questionable is, if the objection needs to pertain to the entire entry or can also claim only partial deletion. The question arises with regard to the subsequent provision of Art. 15 Sec. 3a Var. 3 ePrivacy Regulation, which (also) allows for a right to claim verification, correction and deletion of data included in a publicly available directory. Indeed, Sec. 3a seems to pertain to both Secs. 1 and 3 by means of being “pulled behind the brackets”. Systematically, however, this provision would not make any sense with regard to Sec. 3, if it would only repeat its regulatory content. In this respect, on the one hand, it would be conceivable to interpret Sec. 3 as a prior form of objection, while Sec. 3a would apply to all subsequent actions, i.e. whenever data has already been included to the directory. This solution is supported by the information requirement, stipulated in the preceding Art. 12 Sec. 1 ePrivacy Directive, which at the same time only spoke of the term “not being included”, not distinguishing between consent and objection, whatsoever. Yet, on the other hand, this interpretation would negate the express verbal difference applied by the ePrivacy Regulation. In fact, a literal interpretation in view of the clarifying listing in connection with the term “verify and correct” would rather argue for a differentiated remedy distribution between the paragraphs, while granting Sec. 3 a complete and only Sec. 3a a partial deletion. This interpretation, however, would artificially split up the linguistically rather unmindful application of the term within both Sec. 3 and Sec. 3a and also not achieve factually different results. It therefore seems more appropriate to allow both complete and partial deletion of data under Sec. 3 and Sec. 3a and to grant the latter only a clarifying function in this respect. After all, Sec. 3a is not being derived of its regulatory content completely, since this way, it still applies to Sec. 1. Objection, hence, can pertain either to the entire entry or claim only partial deletion.
 As regards the so called “sphere-theory”, cf. its first elaboration within the German Federal Constitutional Court (BVerfG) decision of 15 January 1970, 1 BvR 13/68 – Ehescheidungsakten.
 As regards the nature of privacy and data protection as part of the right to personality, cf. for its dogmatic derivation in German law the BVerfG decision of 3 June 1980, 1 BvR 185/77 – Eppler and BVerfG decision of 15 December 1983, 1 BvR 209, 269, 362, 420, 440, 484/83 – Volkszählung; as regards the inferior protection level of legal persons under Art. 2 Sec. 1 of the German Constitution (GG), cf. only Di Fabio, in: Dürig/Herzog/Scholz, Grundgesetz Kommentar (2021), Art. 2 Rec. 224.
 Examples provide the German `Handelsregister` (HR), French ‘Registres du commerce et des sociétés’ (RCS) and Italian ‘Registro delle Imprese’.
 Cf. Krafka, in: Münchener Kommentar zum HGB (2021), § 8 Rec. 4 et seqq.
Art. 15 Sec. 1 ePrivacy Regulation refers to the term of personal data, as defined in Art. 4 Sec. 1 lit. a ePrivacy Regulation in conjunction with Art. 4 Sec. 1 GDPR, i.e. information relating to an identified or identifiable person. In the context at hand, this might include name, telephone number and address, but also academic degrees, e-mail addresses, web-pages and office- or consultation hours. Legal persons might moreover be displayed with regard to responsibilities within the company and sub-organizations, company logos, graphics, activity fields and target groups.
Since the amount of data is subject to prior consent or subsequent correction (cf. Art. 15 Sec. 3a ePrivacy Regulation), the specific appearances of different end-users might differ substantially from case to case. In order to avoid an excessive influence on the appearance and scope of the respective service, the consent granted under Art. 15 Sec. 1 can therefore not be linked to individual conditions, which go beyond the data categories and layout provided in the first place. Here, a specific categorized format moreover helps to enable a functional differentiation from specific platforms in the context of social media services. Yet, insofar as the directory-provider (in contrast to common formats) intends a fully individualized personal description by the end-user, the principle of equal treatment must be observed when including the data in the telephone directory. Consequently, the type and scope of the publication of data of a specific subscriber represent the standard to which the contractual partner must adhere to in other cases.
Art. 15 ePrivacy Regulation does not oblige providers of number-based interpersonal communications services and other enterprises to provide publicly available directories. It rather ties in with already existing services and regulates the specific conditions, under which these are being made available. This finding is supported by the absence of a respective stipulation, which had previously been installed within Art. 5 Sec. 1 lit. a Directive 2002/22/EC (Universal Service Directive). Here, service providers would not be concerned directly, yet, Member States had to ensure that in one way or the other there would be available at least one comprehensive directory, updated once a year and available to all end-users and finally fall back on the earlier. The general aim of this stipulation was to provide sufficient access to respective information and, thus, to provide for the basic prerequisites of publicly available and effective interpersonal telecommunication infrastructure. Since later this was being guaranteed by a functioning market for directory services, the obligation of a service provision was considered unnecessary and therefore repealed in the course of the EECC.
Accordingly, there is no service obligation for publicly available directories in the framework of the ePrivacy Regulation any longer. Service providers and other private persons are much rather free to make respective undertakings or not. If, however, directories are being provided, providers of number-based interpersonal communications services are obliged to make available relevant information, as stipulated in Art. 112 Sec. 1 EECC. This respectively converts into a right of receiving information on “fair, objective, cost oriented and non-discriminatory terms”. Conversely, as regards the right to be included in publicly available directories, such has also been explicitly abolished in the course of the aforementioned repeal of a service obligation. It can therefore neither be read out of Art. 15 ePrivacy Regulation. Legislation here much rather trusts in the functioning of the market, as well.
 The respective transposition into German law was made by § 78 Sec. 2 No. 3 Telecommunications Act (TKG old version) and has now as well been abolished in the course of § 17 et seq. of the new Telecommunications Telemedia Data Protection Act (TTDSG).
 Cf. Rec. 11 Directive 2002/22/EC (Universal Service Directive); it was therefore included to the general service obligation pursuant to its Chapter II.
 Cf. Rec. 302 EECC.
 Cf. Rec. 302 EECC
 Ibid.; in German law, there is even a request requirement according to § 17 Sec. 1 TTDSG.
According to Art. 15 Sec. 4. ePrivacy Regulation, (only) the possibility for end-users not to be included in a publicly available directory, or the ability to verify, correct and delete any data related to them shall be provided free of charge. Conversely, consent or a complementary legal basis pursuant to Art. 15 Sec. 1aa ePrivacy Regulation might be subject to fees. If Member States, withal, make use of the latter, they should take into account, however, that the basic exemption from fees for the deletion of an entry is not being circumvented by a compulsory charging in the first place. Rather, respective fees would either need to be reimbursed or charged only by the condition of a particular time frame for objection.
Art. 15 Sec. 2 ePrivacy Regulation obliges providers of number-based interpersonal communications services to inform end-users included into the directory of search functions, which are not based on name or number. This mainly concerns online directories, collecting different forms of data, such as address, webpages or professions, and their specific search masks. End-users need to consent in the facilitation of such functions before these are being enabled. Thus, the provision corresponds to the fact that enabling search functions represent an additional facility to the basic service (the provision of contact information) and therefore a further step of processing. Since according to the principle of purpose limitation, each step of processing personal data requires separate justification, an additional consent requirement applies already by means of Arts. 4 Sec. 2; 5 Sec. 1 lit. b; 6 Sec. 1 lit. a GDPR. To this extent, Art. 15 Sec. 2 ePrivacy Regulation fulfills its specification function pursuant to Arts. 1 Sec. 3; 4a Sec. 1 ePrivacy Regulation in conjunction with Art. 95 GDPR.
 Cf. Buchner/Petri, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 6 Rec. 20.
 For further information see Di Fabio, in: Dürig/Herzog/Scholz, Grundgesetz Kommentar (2021), Art. 2 Sec. 1 Rec. 203 et seqq. with reference to the Federal German Constitutional Court (BVerfG), decision of 8 March 1988, 1 BvL 9/85 und 43/86 – Gemeinsamer Familienname;
Verification, in the sense of confirming an existing entry, prima facie appears to be of a purely declaratory meaning, since, on the one hand, rather the provider´s interests are met this way than the end-user´s, for whom it represents an additional expenditure to undergo a respective procedure. Most likely, verification facilities will therefore not be used very often, and if, then rather only to correct or delete other information at the same time. On the other hand, in view of the requirement of prior consent pursuant to Art. 15 Sec. 1 ePrivacy Regulation, it appears questionable, if natural end-users would ever undergo the additional procedure of a (subsequent) verification or rather include such action implicitly into the prior process of consenting in the first place.
Correcting misspelled, content-wise or in another way wrongly published information needs to respect the boundaries of a directorie´s given format. Doing so, correction might entail both replacements and extensions. Pure deletions, withal, are reserved for Art. 15 Sec. 3a Var. 3 ePrivacy Regulation. Since there is a particular risk of misuse, for example with regard to academic titles, professions or company forms (in Germany, for instance, the ‘Gesellschaft mit beschränkter Haftung’ enjoys particular social trust because of its relatively high security in deposits), moreover, special review procedures should be established to make respective intends more difficult to realize.
As described within the context of Art. 15 Sec. 3 ePrivacy Regulation, deletion refers to both partial and entire removals of data. Resulting overlaps between Secs. 3 and 3a must be accepted and interpreted as part of a systematic difficulty of reconciling the contextual relationship between verification, correction and deletion with its logically superior applicability towards Secs. 1 and 3a. Thus, deletion, in the context of Art. 15 Sec. 3a Var. 3 ePrivacy Regulation, effectively applies only to Sec. 1, i.e. the deletion of personal data of natural persons, and represents little more than a clarification with regard to Sec. 3a.
Art. 15 Sec. 3aa ePrivacy Regulation allows Member States to provide by law that the requirements under Sec. 1aa (reduction of end-users´ participation rights to an objection), Sec. 2 (consent requirement for the installment of specific search functions) and Sec. 3 (legal persons´ right to object) may apply to providers of publicly available directories in addition to or instead of providers of number-based interpersonal communications services. This clarification is also relevant with regard to the original provision, speaking only of the latter as addressees of the norm. Subsequently, the legislator has thought only of service providers to offer respective services, which appears questionable in light of the finding that already Rec. 302 S. 1 EECC recognized the establishment of a sufficient market of different providers of publicly available directories. Indeed, one might raise the question, whether by way of an argumentum e contrario this might speak in favor of a total liberalization of the market for specialized directory-providers. Yet, in view of the express intent of the provision and its legal context, this argument cannot stand. Rather, Art. 15 Sec. 3aa serves the case that a Member State will subject providers of publicly available directories in the course of a legislative omission of prior restrictions and replace or extend competence in the course of a subsequent (partial) liberalization of the market.
Personal data of end-users, which is already included in a publicly available directory before entry into force of the ePrivacy Regulation, is not a subject to the provisions under Art. 15 ePrivacy Regulation. As Art. 15 Sec. 4a ePrivacy Regulation clarifies, such data can remain included and also be subject to search functions in the sense of Sec. 2, unless an express objection by the concerned person is given.