On the 12th of January 2023, a preliminary ruling in the proceedings of RW v Österreichische Post AG, was pronounced by the Court of Justice of the European Union (CJEU) concerning the right of access of the data subject to his data, as laid down in Article 15 of the General Data Protection Regulation (GDPR).
In 2019, RW asked for access to his personal data which was stored by Österreichische Post and further requested clarification as to whether such data had been disclosed to third parties, and if so to identify the recipients. Österreichische Post claimed that it only utilises data in the course of its business as a publisher of telephone directories, to the extent that is permitted by law, and that it makes that personal data available to trading partners for marketing purposes. It did not however reveal who the individual recipients of the data were. Dissatisfied with the response received, RW instituted proceedings against Österreichische Post seeking an order which would force Österreichische Post to disclose the information, including the names of the recipients, of the exposed personal data.
Both the Austrian Court of first instance and court of Appeal decided that, since Article 15(1)(c) of the GDPR stipulates that the data subject has the right to obtain information regarding the “recipients or categories of recipients” of such personal data, it suffices that the data controller, in this case being Österreichische Post, provides the data subject with just the category of the receipts rather than the full name and particulars of such recipients. In fact, Österreichische Post had informed RW that his personal data was processed for marketing purposes and forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties.
Displeased with this verdict, RW instituted an appeal on a point of law before the Supreme Court of Austria. In turn the Supreme Court decided to stay the proceedings and refer the question to the CJEU in order to clarify the interpretation of Article 15(1)(c) GDPR as to whether the right to access is to be limited to information concerning categories of recipients, where specific recipients have not yet been determined in the case of planned disclosures, or whether it should extend that right to include information on who the recipients are (not just the category) in situations where the data has already been disclosed.
In the preliminary ruling, the Advocate General referred to Recital 63 GDPR which provides that the data subject has the right to know and obtain communication, specifically with regard to the recipients of the personal data. It does not, however, state that this right may be limited solely to the categories of recipients. Reference was also made to Article 19 GDPR, which states that, in accordance with the controller’s duty to notify all recipients of the exercise of the data subject’s rights under Article 16, Article 17(1), and Article 18 GDPR, the data subject has the right to be informed of the specific recipients of the data that the controller holds about him or her. Therefore, it follows that the data subject has the right to learn from the controller which specific recipients have received or will receive his personal information.
That being said, Recital 4 GDPR, asserts that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”. This point was also reaffirmed in paragraph 172 of the 2020 judgment Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. Consequently, it may be understood that it is not always possible to disclose information about individual recipients. Hence, where it is impossible to divulge the name of specific recipients, especially when they are not yet known, the right of access may be limited to information regarding categories of recipients.
Additionally, it should be kept in mind that under Article 12(5)(b) GDPR, the controller may refuse to act on requests from a data subject if those requests are manifestly excessive or unfounded. It should also be noted, however, that the controller is responsible for proving that those requests are excessive or unfounded. With this in mind, the CJEU observed that in the case at hand, it was clear from the request for a preliminary judgement that Österreichische Post rejected RW’s request under Article 15(1)(c) GDPR to be informed of the names of the recipients to whom Österreichische Post had transferred RW’s personal data and that thus, it will be up to the referring court to decide whether Österreichische Post has proven that this request is clearly excessive or manifestly unfounded.
The CJEU concluded that Article 15(1)(c) GDPR must be interpreted to mean that the data subject’s right of access to his/her personal information, entails (where the data has been or will be disclosed to recipients) an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller proves that the data subject’s request is excessive or manifestly unfounded in terms of Article 12(5) GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.