ECJ: Every person has the right to know to whom his or her personal data have been disclosed.

According to ECJ's Judgment (12/1/2023) in Case C-154/21 (Österreichische Post), every person has the right to know to whom his or her personal data have been disclosed. Nevertheless, the controller may indicate only the categories of recipient if it is impossible to identify the recipients or the request is manifestly unfounded or excessive. 

A citizen requested Österreichische Post, the principal operator of postal and logistical services in Austria, to disclose to him the identity of the recipients to whom it had disclosed his personal data. He relied on the EU General Data Protection Regulation (GDPR). That regulation provides that the data subject has the right to obtain from the controller information about the recipients or categories of recipient to whom his or her personal data have been or will be disclosed. 

In response to the citizen’s request, Österreichische Post merely stated that it uses personal data, to the extent permissible by law, in the course of its activities as a publisher of telephone directories and that it offers those personal data to trading partners for marketing purposes. The citizen therefore brought proceedings against Österreichische Post before the Austrian courts. 

During the judicial proceedings, Österreichische Post further informed the citizen that his data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties. 

The Oberster Gerichtshof (Supreme Court, Austria), hearing the dispute at last instance, wishes to know whether the GDPR leaves the data controller the choice to disclose either the specific identity of the recipients or only the categories of recipient, or whether it gives the data subject the right to know their specific identity. 

In its judgment, the Court replies that where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients. It is only where it is not (yet) possible to identify those recipients that the controller may indicate only the categories of recipient in question. That is also the case where the controller demonstrates that the request is manifestly unfounded or excessive. 

The Court points out that the data subject’s right of access is necessary to enable the data subject to exercise other rights conferred by the GDPR, namely his or her right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object to processing or right of action where he or she suffers damage. (source: curia.europa.eu / photo: freepik.com)

Comments

Popular posts from this blog

The EU’s Data Act: Data protection must prevail to empower data subjects

Excessive formalism as a restriction on the right of access to justice

Significant numbers of young lawyers want to leave their current job: New report by International Bar Association