OGH - 6Ob159/20f: Difference between revisions
Line 66: | Line 66: | ||
''Does the right to information on recipients under Article 15(1)(c) GDPR necessarily also extend to concrete recipients of personal data if the data has already been disclosed?'' | ''Does the right to information on recipients under Article 15(1)(c) GDPR necessarily also extend to concrete recipients of personal data if the data has already been disclosed?'' | ||
The OGH also provided a summary of existing legal opinions on the question of ''naming concrete recipients vs. stating only categories of recipients'' and argued that Article 15(1)(c) GDPR should be interpreted in light of the purpose of that provision. In the view of the OGH, the right to access is also a tool for the data subject to effectively exercise its rights under Article 16 et seqq. GDPR. Therefore, the controller should not have a choice to state only categories of recipients because that would hinder data subjects to exercise these | The OGH also provided a summary of existing legal opinions on the question of ''naming concrete recipients vs. stating only categories of recipients'' and argued that Article 15(1)(c) GDPR should be interpreted in light of the purpose of that provision. In the view of the OGH, the right to access is also a tool for the data subject to effectively exercise its rights under Article 16 et seqq. GDPR. Therefore, the controller should not have a choice to state only categories of recipients because that would hinder data subjects to exercise these rights as they would hardly ever receive anything but abstract information on categories of potential data recipients. | ||
===Holding=== | ===Holding=== |
Revision as of 11:29, 16 March 2021
OGH - 6Ob159/20f | |
---|---|
Court: | OGH (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 12(1) GDPR Article 15(1)(c) GDPR |
Decided: | 18.02.2021 |
Published: | 10.03.2021 |
Parties: | unknown (claimant) Österreichische Post AG (defendant) |
National Case Number/Name: | 6Ob159/20f |
European Case Law Identifier: | ECLI:AT:OGH0002:2021:0060OB00159.20F.0218.000 |
Appeal from: | OLG Wien 14 R 159/19h-13 |
Appeal to: | Not appealed |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
Initial Contributor: | n/a |
The Austrian Supreme court requested a preliminary ruling from the CJEU on whether Article 15(1)(c) GDPR requires the controller to name concrete recipients of the data (rather than just categories of recipients) if the data has already been disclosed to recipients.
English Summary
Background
On 15.01.2019 the claimant sent and access request under Article 15 GDPR to the defendant and requested i.a. information on concrete recipients of their personal data under Article 15(1)(c) GDPR. The defendant replied by referencing to its data protection notice which of course only listed categories of potential data recipients but did not name any concrete recipients.
The claimant filed a lawsuit with the Regional Court for Civil Matters Vienna (Landesgericht für Zivilrechtssachen Wien - LGfZRS Wien), requesting that the defendant had to name concrete recipients. In the course of the court procedure, the defendant stated that the claimant's data have been disclosed to the defendant's customers, which include "companies conducting advertising in the mail-order business and stationary trade, IT companies, address publishers and associations, NGOs or political parties". Again, the defendant did not name any concrete recipients.
Nevertheless, the LGfZRS Wien dismissed the case. After an unsuccessful appeal to the Higher Regional Court Vienna (Oberlandesgericht Wien - OLG Wien), the claimant flied a appeal with the Austrian Supreme Court (Oberster Gerichtshof - OGH).
Request for preliminary ruling
The OGH stayed the procedure and referred to following question to the CJEU under Article 267 TFEU:
Does the right to information on recipients under Article 15(1)(c) GDPR necessarily also extend to concrete recipients of personal data if the data has already been disclosed?
The OGH also provided a summary of existing legal opinions on the question of naming concrete recipients vs. stating only categories of recipients and argued that Article 15(1)(c) GDPR should be interpreted in light of the purpose of that provision. In the view of the OGH, the right to access is also a tool for the data subject to effectively exercise its rights under Article 16 et seqq. GDPR. Therefore, the controller should not have a choice to state only categories of recipients because that would hinder data subjects to exercise these rights as they would hardly ever receive anything but abstract information on categories of potential data recipients.
Holding
The OGH will take its decision in the merits of the case once the CJEU has decided on the requested preliminary ruling. This page will be adapted accordingly then and linked to the CJEU decision, which will also be published on GDPRhub.eu.
Comment
A request for a preliminary ruling on Article 15(1)(c) GDPR was long due. A lot of controllers argue that they have a choice to disclose either data recipients or mere categories of data recipients. The CJEU will now shed a light on this issue.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Court OGH Decision date 18.02.2021 Business number 6Ob159/20f Head The Supreme Court, as the court of appeal, by the President of the Senate, Dr Schramm, as Chairman, the Court Councillors Dr Gitschthaler, Dr Kodek and Dr Nowotny, as well as the Court Councillor Dr Faber, as further judges in the case of the plaintiff Dr F***** B*****, represented by Robert Haupt, LL.M., Rechtsanwalt in Vienna, against the defendant Ö*****, represented by Wolf Theiss Rechtsanwälte GmbH & Co KG in Vienna, concerning the provision of information pursuant to Article 15 of the Data Protection Regulation, in the proceedings on the appeal of the plaintiff against the judgment of the Oberlandesgericht Wien (Vienna Higher Regional Court) as the court of appeal of 24 April 2020, GZ 14 R 159. April 2020, GZ 14 R 159/19h-13, whereby the judgment of the Regional Court for Civil Matters Vienna of 28 October 2019, GZ 29 Cg 23/19v-8, was confirmed as a result of the appeal of the plaintiff, in a closed session, the following Resolution captured: Saying I. The following question is referred to the Court of Justice of the European Union for a preliminary ruling pursuant to Article 267 TFEU: Is Article 15(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, OJ 2016 L 119/1, p. 1; hereinafter 'GDPR') to be interpreted as meaning that the right to information on categories of recipients is limited where specific recipients have not yet been determined in the case of planned disclosures. (Data Protection Regulation, OJ 2016 L 119/1, p. 1; hereinafter 'the GDPR') to be interpreted as meaning that the right is limited to information on categories of recipients where specific recipients have not yet been determined in the case of planned disclosures, but the right to information must necessarily also extend to recipients of those disclosures where data have already been disclosed? II. the proceedings before the Supreme Court are suspended until the preliminary ruling of the Court of Justice of the European Union has been received in accordance with section 90a(1) GOG. Text Justification: 1] A. Facts 2] On 15 January 2019, the plaintiff requested the defendant, with reference to Article 15 of the GDPR, to provide information on which personal data about him the defendant was storing or had stored in the past, as well as information on where this data was stored and, if the data had been passed on, who the specific recipients were. 3] In the reply, the defendant stated that it used data, as far as legally permissible, in the context of its activities as an address publisher and offered them to business customers for marketing purposes. Moreover, it referred to a website for more detailed information and further data processing purposes. 4] This website provides general information about the purposes of the defendant's data processing. Finally, the defendant indicates on the website that the categories of (data) recipients can be found in point 3 of the privacy notice, with a link to another website. 5] On this further website, in turn, general data protection notices of the defendant can be found. Point 3.4 of the "Privacy Notice" reads as follows: "Other recipients: Within the framework of the contractual relationship and in particular in connection with our service obligation, your personal data may - depending on the individual case - be passed on to other recipients (such as other postal service providers [e.g. UPU, IPC], carriers, doctors, hospitals, insurance companies and brokers, experts, surveyors, lawyers, interest groups, address publishers and direct marketing companies, banks and investment companies, insurance companies, auditors, consultants, funding agencies, shareholders, investors). In addition, your data may be passed on to advertising companies under certain conditions. These are, for example, companies such as trading companies or associations that want to address consumers." 6] It was only in the course of the present court proceedings that the defendant informed the plaintiff in its statement of defence that the plaintiff's data had been processed for marketing purposes in the context of the address publishing company and had been passed on to business customers, which included advertising companies in the mail order and stationary trade, IT companies, address publishers and associations such as charitable organisations, NGOs or political parties. 7] At no time did the defendant disclose specific recipients of the plaintiff's data to the plaintiff. 8] B. Arguments of the parties 9] The plaintiff seeks an order that the defendant provide him with (improved) information pursuant to Article 15 of the GDPR, including information as to whether or not the plaintiff's personal data have been transferred and, if so, the recipient(s) to whom the plaintiff's personal data have been or will be disclosed. He argues that the information provided by the defendant does not comply with the legal requirements of Article 15 of the GDPR because it does not show whether the defendant has disclosed the plaintiff's personal data to third parties and, if there has been an actual disclosure, who the specific recipients of these data were. The information did not meet either the requirement of accuracy or the requirement of comprehensibility under Article 12(1), first sentence, of the GDPR. 10] The defendant argues that the information provided to the plaintiff before the action was brought complies with the requirements of Article 15 of the GDPR; in any event, the further information provided in the response is sufficient. [11] C. Procedure to date 12] The lower courts dismissed the claim. The Court of Appeal stated that as long as the transparency requirement contained in Article 12 of the GDPR was respected, a subsequent completion or specification of a data disclosure previously made pursuant to Article 15 of the GDPR was also to be considered legally compliant. From the perspective of an averagely educated person in Austria, the statement made in the statement of defence complies with Article 12(1) of the GDPR as the recipient of the statement, even if it is understood in conjunction with the pre-litigation letter of the defendant and the links to the websites. The wording "recipients or categories of recipients" in Article 15(1)(c) of the GDPR clearly indicates a right of choice on the part of the controller (party obliged to provide information), so that information on categories of recipients is sufficient and the individual recipients do not have to be named. [13] The Supreme Court has to decide on the plaintiff's appeal against the judgment of the Court of Appeal. Legal assessment 14] The Supreme Court decides to stay the appeal proceedings and to refer to the Court of Justice of the European Union questions of Union law essential for the decision of the case. [15] D. Applicable Union law GDPR: "CHAPTER III Rights of the data subject Section 1 Transparency and modalities Article 12 Transparent information, communication and modalities for the exercise of the data subject's rights 1. The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and all the notifications referred to in Articles 15 to 22 and Article 34 which relate to the processing, in a precise, transparent, intelligible and easily accessible form and in plain and simple language; ... Article 15 Right of information of the data subject 1. The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed and, if so, the right to obtain access to those personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data processed; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations; (d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining that duration; (e) the existence of a right to obtain the rectification or erasure of personal data concerning him or her, or the restriction of processing by the controller, or a right to object to such processing; f) the existence of a right of appeal to a supervisory authority; (g) where the personal data are not collected from the data subject, any available information on the origin of the data; (h) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject. ...“ 16] E. Justification of the question referred for a preliminary ruling 1.1 On the first question, there are different doctrines in Austria and Germany: [18] 1.1.1 For a right of choice of the responsible person: 19] According to Haidinger in Knyrim, DatKomm Art 15 DSGVO Rz 39, the word "or" implies that the controller has the right to choose whether to disclose recipients or only categories of recipients. 20] Paal in Paal/Pauly, DS-GVO/BDSG2 Art 15 DSGVO Rz 6 takes the view that there is a right of choice between "recipients" and "categories of recipients" in favour of the controller; the controller can therefore always limit itself to specifying categories of recipients. 1.1.2 Against a right of choice of the responsible person: 22] Dix in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht [2019] Art 15 Rz 20. 23] Bäcker in Kühling/Buchner, DS-GVO/BDSG2 Art 15 DSGVO Rz 16 f also takes the view that the controller does not have the right to choose: if he still knows or already knows the recipients of the data, he must name them upon request. If this leads to a collision between the data subject's data protection right to information and conflicting confidentiality interests of the data recipients, the right of the data subject prevails according to Art 15 GDPR. In this case, the data subject could also request information about the categories of recipients. 24] Ehmann in Ehmann/Selmayr, DSGVO2 Art 15 Rz 20 first argues that a comparison with Art 30 (1) lit d DSGVO shows that in the context of the right to information, the naming of the (concrete) recipients of personal data not mentioned there has priority over the naming of the categories of recipients exclusively mentioned there, and then focuses on the purpose of the right to information: Only the naming of the specific recipients makes it possible to verify the lawfulness of the processing. 25] Schantz in Schantz/Wolff, Das neue Datenschutzrecht [2017] marginal no. 1198, assumes that the data subject can choose whether he or she wants to know the names of the recipients or only the categories of the various recipients. Leaving it up to the controller to decide on the content of the information would considerably impair the practical effectiveness of the right to information, because knowledge of the specific recipients is often of great importance for the data subject. 26] Schmidt-Wudy in Wolff/Brink, BeckOK Datenschutzrecht32 (Status 1. 5. 2020) Art 15 DSGVO Rz 58 is of the opinion that it is questionable whether the "or" between "recipients" and "categories of recipients" implies a factual alternative or is to be understood as "and". The interpretation of the wording leaves it up to the controller to choose whether to disclose the recipients or the categories of recipients; recital 63 seems to support the view that in any case the "recipients" must be disclosed and the categories of recipients can be disclosed optionally. It seems appropriate to assume an obligation to provide information on recipients in every case, but only with regard to the categories of recipients if data have been or are to be disclosed more than once, as only then are there "categories of recipients". [27] 1.2. considerations of the Supreme Court: 28] The wording of Art 15(1)(c) GDPR does not allow for a conclusive assessment of the question. 29] The German version, by referring to the scope of the right to information of the data subject in Art 15 (1) second half-sentence of the GDPR and not to the correlating obligation to provide information of the controller, rather indicates a right of choice of the data subject. 30] Nichts anderes ergibt sich aus der Formulierung des entsprechenden Textabschnitts in der englischen (arg: "[...] the right to obtain [...] access to [...] the following information: [...] the recipients or categories of recipient to whom the personal data have been or will be disclosed") und der französischen Sprachfassung (arg: "[...] the right to obtain [...] the following information: the recipients or categories of recipients to whom the personal data have been or will be disclosed [...]"). 31] Unlike Art 15 GDPR, Art 13(1)(e) and Art 14(1)(e) GDPR do not provide for a (right of) access to information on "recipients or categories of recipients", but rather for an obligation to provide information on the part of the controller. 32] In addition, the obligation to provide information provided for in Articles 13 and 14 of the GDPR is linked to the point in time of the data collection - which necessarily precedes the data processing - so that the information must always be provided in advance, i.e. at a stage in which no actual disclosure of data to third parties can have taken place. The right to information under Art 15 GDPR, on the other hand, does not only extend to the currently processed data of the data subject, but also, according to its purpose, to the data processed in the past (fundamentally ECJ Case C-553/07, Rijkeboer, ECLI:EU:C:2009:293, para. 51 et seq.; the convincing considerations of this decision, which are based on the telos of the right to information, can also be applied to the right to information under Article 15 of the GDPR, especially since it can be deduced from recitals 9 and 10 of the GDPR that the European legislator did not intend to lower the level of protection compared to Directive 95/46/EC in general). Recital 63 of the GDPR states that "every data subject should therefore have the right to know and be informed ... of the identity of the recipients of the personal data...". This does not merely refer to "categories of recipients", which also suggests that the controller must name the individual recipients. 34] Against this background, the interpretation of Art 15(1)(c) GDPR must primarily be guided by the purpose of the provision: In this context, reference must first be made to the aforementioned telos of the right to information as an auxiliary claim for the effective enforcement of rights, in particular the rights of data subjects under Article 16 et seq. of the GDPR. This regulatory purpose clearly speaks in favour of an understanding - quite covered by the wording of the provision - to the effect that the controller does not have a discretionary right to choose how specifically to comply with the request for information about the recipients of personal data; rather, the data subject should in principle have the choice of whether to request information only about abstract categories of recipients or about the specific recipients of his or her data. The opposite understanding of the norm, on the basis of which the data controller could ultimately always retreat to merely informing about the category of recipients, would lead to a considerable impairment of the effectiveness of the legal remedies available to the data subject for the protection of his or her data, as intended by the European legislator: If the data controller - as the Court of Appeal and the defendant believe - has the free choice, a data controller will hardly ever provide detailed information about specific recipients, which involves considerable additional effort. In this case, the data subject will usually only be informed about abstract categories of recipients. If the question is answered in the affirmative, the defendant would not have fully complied with the obligation to provide information pursuant to Art. 15 GDPR due to the lack of naming the specific recipients and the claim would have to be granted. 36] F. The decision to stay the proceedings is based on § 90a (1) GOG. European Case Law Identifier ECLI:AT:OGH0002:2021:0060OB00159.20F.0218.000