Taxes, accounting, law and more. All the key news for your business.
Veronika Odrobinová | Jan Nešpor | February 21, 2023
The Court of Justice of the EU (CJEU) has ruled on a preliminary question, which arose before the Austrian Supreme Court (Oberster Gerichtshof) in a dispute between the data subject, Mr RW, and Österreichische Post.
At the core of the dispute was Mr RW’s request for information about all the data the Österreischische Post held on him and how it processed them. In particular, this included information on the identity of all subjects to whom the data were disclosed. In response to this request, Österreichische Post initially replied that, within the scope of its authorised activities, it disclosed this information to its clients for marketing purposes, which as it later stated were IT companies, non-profit organisations, political parties, etc.
However, this response was not satisfactory, so RW brought an action before an Austrian court seeking disclosure of the identity of the recipients of his data. Both the court of first instance and the Court of Appeal rejected Mr RW’s claim, arguing that Mr RW (as a data subject) is only entitled to information about categories of recipients, not about the identity of the individual recipients of personal data, citing Article 15(1)(c) of the GDPR, which provides that:
“The data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed and, if so, to obtain access to those personal data and to the following information (...)
(c) recipients or categories of recipients, to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (...)”
The Austrian Supreme Court, as the court of last instance, referred a preliminary question to the CJEU when examining the dispute, i.e. if the data controller (in this case Österreichische Post) has the right to decide whether provide the data subject (in this case Mr RW) only with information on the category of recipients or also on the identity of specific recipients.
The CJEU examined the respective question particularly in the light of the relevant provisions of the GDPR, the context in which the GDPR was adopted, and the guiding principle of transparency set out in Article 5(1)(a) of the GDPR. It concluded that the provision in question, Article 15(1)(c) GDPR, must be interpreted as meaning that the data controller cannot choose whether to provide information on the category of recipient or the specific identity of the recipient.
Therefore, if the data subject requests information about the specific identity of the recipient of his/her personal data, the data controller is obliged to do so. At the same time, however, the CJEU has also defined the circumstances, in which the data controller may refuse to provide information on the specific identity of data recipients.
If you would like more information, please contact us.
Author: Veronika Odrobinová, Jan Nešpor