CJEU - C-154/21 - RW v Österreichische Post

From GDPRhub
CJEU - C-154/21 RW v Österreichische Post
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(1)(a) GDPR
Article 12(5)(b) GDPR
Article 15(1)(c) GDPR
Article 19 GDPR
Decided: 12.01.2023
Parties:
Case Number/Name: C-154/21 RW v Österreichische Post
European Case Law Identifier: ECLI:EU:C:2023:3
Reference from: OGH (Austria)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a

The CJEU held that Article 15(1)(c) GDPR obliges the controller to disclose the identity of specific recipients of personal data if the data subject requests it, unless the request is manifestly unfounded or excessive, in which case information about categories of recipients is sufficient.

English Summary

Facts

A data subject sent an access request to the Austrian Post (the controller) to obtain information about what personal data about him was processed as well as whether it was disclosed to third parties, and if yes, who these recipients were. The controller provided a generic response regarding the recipients of personal data, only referring to a general website naming activities of the recipients, such as telephone directories or marketing actors. The controller did not inform the data subject about the specific identity of the recipients.

Consequently, the data subject took action before Austrian courts in order to obtain information about specific recipients. Both the court of first instance and appeal dismissed the action by stating that Article 15(1)(c) GDPR gives the controller disrection to choose whether they wish to provide information about 'recipients' or 'categories of recipients' only. In the meantime, the controller provided information with regards to the categories of recipients, which included charities, NGOs and political parties, but refused to reveal their identity.

The Austrian Supreme Court decided to refer the matter to the Court of Justice of the European Union (CJEU, the Court) in order to obtain clarification on the interpretation of Article 15 GDPR. The Supreme Court asked the following preliminary question:

'Is Article 15(1)(c) of the GDPR to be interpreted as meaning that the claim is limited to information on categories of recipients if specific recipients have not yet been determined in the case of planned disclosures, but the right to information must necessarily also extend to recipients of these disclosures if data have already been disclosed?'

Advocate General Opinion

Advocate General Pitruzzella noted that provisions of EU law must be interpreted in a way as to ensure their effectiveness. Since Article 15 GDPR provides a genuine right of access, it is a necessary pre-condition for the exercise of other data subject rights under the GDPR. Moreover, it follows from the contextual reading of Article 19 GDPR, that the controller must inform data subjects of specific recipients of their personal data. However, since the right to data protection is not absolute, the right to receive information on specific recipients may be limited to categories of recipients if the controller proves that the data subject request was manifestly unfounded or excessive (Article 12(5)(b) GDPR).

Holding

The CJEU agreed with the reffering court that it was unclear from the wording of Article 15(1)(c) GDPR whether there is a relationship of priority between ‘recipients’ and ‘categories of recipients’ as they are listed side by side. However, from the context in which the provision is placed as well as the reading of Recital 63 GDPR, the data subject must have a right to know and be informed, in particular of the recipients of personal data. The Court pointed out Recital 63 GDPR does not mention that this right can be limited to only categories of recipients.

Further, the Court noted that any processing must comply with Article 5 GDPR, including the principle of transparency (Article 5(1)(a) GDPR). Following the Opinion of the Advocate General, the CJEU held that, unlike Articles 13 and 14 GDPR, Article 15 GDPR provides an actual right of access (not just right to information) for the benefit of the data subject so that they must be able to choose whether to be provided with information on specific recipients or with information on categories of recipients. Furthermore, the right of access necessary to exercise other data subject rights effectively and to obtain remedies. Thus, the data subject must have the right to be informed of the identity of the specific recipients when their personal data have already been disclosed.

According to the CJEU, this interpretation is confirmed by Article 19 GDPR. Namely, the data subject has the explicit right to be informed by the controller of the specific recipients of the data concerning him or her, as part of the controller's obligation to inform all recipients of the exercise of the rights that the data subject has under Articles 16, 17(1) and 18 GDPR.

The Court also made reference to Recital 10 GDPR and Article 8 of the Charter of Fundamental Right of the EU. From the objectives of the GDPR, which include safeguarding the right to data protection, it follows that that the data subject also has the right to obtain from the controller information on the specific recipients to whom personal data concerning him or her have been or will be disclosed in the future.

However, the right to data protection is not absolute and and requires a balance of interests at stake. Hence, the right of access may be limited to information on categories of recipients if it is not possible to communicate the identity of the concrete recipients, especially if they are not yet known. Additionally, the Court held, in line with Article 12(5)(b) GDPR, the controller may only inform about categories of recipients if the request is manifestly unfounded or excessive.

In conclusion, the CJEU held that a controller is obliged to provide the data subject with the actual identity of recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive.

Comment

According to Article 12 (5) GDPR, if the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive, the controller can charge a reasonable fee or refuse to act on the request. Therefore the last sentence of the judgment seems to refer to unfounded or excessive nature of the part of the request asking for the identity of the recipients.

Further Resources

Share blogs or news articles here!