Judgment of the Court in Case C-154/21 | Österreichische Post
In brief
On 12 January 2023, the Court of Justice of the European Union (CJEU) ruled that individuals have the right to know to whom their personal data has been disclosed, unless the controller can demonstrate that it is impossible to identify the recipients or that the request is manifestly unfounded or excessive.
Controllers must be able to provide information on the actual identity of all individuals and organizations to whom personal data is disclosed. This can be done for example, by maintaining up-to-date records on the sharing of personal data or by any other (technical) means.
For further information and to discuss what these new developments mean to you, please get in touch with your Baker McKenzie data protection specialist.
In more detail
The case in question involved an individual who requested that Österreichische Post, the principal operator of postal and logistical services in Austria, reveal the identity of the recipients to whom it had disclosed their personal data.
Österreichische Post stated that it uses personal data, to the extent that this is legally permissible, for its activities as an address broker, and that it offers those personal data for marketing purposes to its business partners. The individual then brought a lawsuit against the company in Austria. During the judicial proceedings, Österreichische Post further informed the citizen of the categories of recipients, without however specifying their actual identity.
In this context, the Austrian Supreme Court requested a preliminary ruling from the CJEU on whether Article 15(1)(c) of the EU General Data Protection Regulation (GDPR) leaves to the data controller the choice to disclose either the specific identities of recipients or only their respective categories, or whether it affords the data subject the right to know the specific identities of recipients.
The CJEU ruled that, when personal data are disclosed to third parties, controllers have an obligation to provide the actual identity of those recipients to the data subjects upon their request, unless (a) it is impossible to identify those recipients (e.g., no data has been shared yet with one or multiple known third parties), or (b) the controller can demonstrate that the data subject’s information request is manifestly unfounded or excessive, in which cases the controller may indicate to the data subjects only the categories of recipient in question rather than their actual identity.
The CJEU highlighted that individuals need to access this information in order to be able to exercise their other rights provided by the GDPR, such as their right to rectification, erasure or their right to seek compensation for damages.