Transparency permits individuals to understand how their personal data is being collected, used, and shared, and to make an educated decision on whether to provide that data. Moreover, transparency can allows organisations to identify and address potential data protection risks.
On the 12th January 2023, the European Court of Justice (“ECJ”) decided that companies are obliged, at the request of the data subject, to disclose with whom exactly they shared personal data (Case C-154/21). The request for a preliminary ruling from the ECJ was made in proceedings between RW and Österreichische Post AG (‘Österreichische Post’) concerning a request for access to personal data pursuant to Article 15(1)(c) of the General Data Protection Regulation (“GDPR”).
Facts and Background
On the 15th January 2019, RW requested Österreichische Post for access under article 15 of the GDPR to the personal data concerning him which were being stored or had been previously stored by Österreichische Post and, if the data had been disclosed to third parties, for the information as to the identity of the recipients.
However, when data subjects requested information about such third party data recipients, the Austrian postal service refused to disclose such information. Instead, it responded to the data subjects’ right to access requests by merely listing “categories of recipients”, like “advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties.”
The courts, at first instance and on appeal, dismissed RW’s action on the ground that Article 15(1)(c) of the GDPR, by referring to “recipients or categories of recipient”, gives the controller the option of informing the data subject only of the categories of recipient, without having to identify by name the specific recipients to whom personal data are transferred. RW brought an appeal on a point of law (Revision) before the Oberster Gerichtshof (Supreme Court, Austria), the referring court.
The referring court was uncertain as to whether this practice satisfied the requirements of Article 15 GDPR, and thus, referred the question to the ECJ for a preliminary ruling to interpret article 15 of the GDPR.
Decision of the ECJ
In the view of the ECJ, Article 15 GDPR provides for the right of every individual to access data concerning him or her, as enshrined in Article 8(2) of the Charter of Fundamental Rights of the European Union. The data subjects need to know the recipients by name in order to exercise such a right. The ECJ had previously held that the exercise of the right of access must enable data subject to verify not only that the data concerning him are accurate, but also that they are disclosed in a lawful manner (see, by analogy, judgments of 17 July 2014, YS and Others, C‑141/12 and C‑372/12, EU:C:2014:2081, paragraph 44, and of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 57), and in particular, that they have been disclosed to authorised recipients (see, by analogy, judgment of 7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 49).
These rights would be ineffective without having knowledge of the recipients. Therefore, it was concluded that data subjects have the right to receive a detailed list of any third party that received their personal information.
It should be borne in mind however, that the right to know the data recipients is not an unlimited right. Under Article 12(5)(b) of the GDPR, the controller may, pursuant to the principle of responsibility referred to in Article 5(2) and recital 74 of that regulation, refuse to act on requests from a data subject where those requests are manifestly unfounded or excessive. The controller may also refuse to act on such requests if it is impossible to identify the recipients. “Impossibility” may be an argument to reject the provision of detailed information on the data recipients where the recipient is not yet known, e.g. if data might only be transferred in the future. The onus of proof with respect to these limitations rests with the data controller.
Companies should be transparent in the manner in which they process personal data. As we have seen from this judgement, data subjects have the right to obtain detailed information about any recipient receiving their personal data. That being said, it is important to note that such a right is not unlimited and therefore the controller may reject such requests from data subjects in certain instances.