ECJ: Every person has the right to know to whom his or her personal data have been disclosed.

According to ECJ's Judgment (12/1/2023) in Case C-154/21 (Österreichische Post), every person has the right to know to whom his or her personal data have been disclosed. Nevertheless, the controller may indicate only the categories of recipient if it is impossible to identify the recipients or the request is manifestly unfounded or excessive. 

A citizen requested Österreichische Post, the principal operator of postal and logistical services in Austria, to disclose to him the identity of the recipients to whom it had disclosed his personal data. He relied on the EU General Data Protection Regulation (GDPR). That regulation provides that the data subject has the right to obtain from the controller information about the recipients or categories of recipient to whom his or her personal data have been or will be disclosed. 

In response to the citizen’s request, Österreichische Post merely stated that it uses personal data, to the extent permissible by law, in the course of its activities as a publisher of telephone directories and that it offers those personal data to trading partners for marketing purposes. The citizen therefore brought proceedings against Österreichische Post before the Austrian courts. 

During the judicial proceedings, Österreichische Post further informed the citizen that his data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties. 

The Oberster Gerichtshof (Supreme Court, Austria), hearing the dispute at last instance, wishes to know whether the GDPR leaves the data controller the choice to disclose either the specific identity of the recipients or only the categories of recipient, or whether it gives the data subject the right to know their specific identity. 

In its judgment, the Court replies that where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients. It is only where it is not (yet) possible to identify those recipients that the controller may indicate only the categories of recipient in question. That is also the case where the controller demonstrates that the request is manifestly unfounded or excessive. 

The Court points out that the data subject’s right of access is necessary to enable the data subject to exercise other rights conferred by the GDPR, namely his or her right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object to processing or right of action where he or she suffers damage. (source: curia.europa.eu / photo: freepik.com)

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Daily Mail publisher wins case against ‘success fees’ paid to lawyers (ECtHR)

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

The banks Crédit agricole and Credit Suisse participated in a cartel in the sector for suprasovereign bonds, sovereign bonds and public agency bonds denominated in US dollars

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)