Search for:

Judgment of the Court in Case C-154/21 | Österreichische Post

In brief

On 12 January 2023, the Court of Justice of the European Union (CJEU) ruled that individuals have the right to know to whom their personal data has been disclosed, unless the controller can demonstrate that it is impossible to identify the recipients or that the request is manifestly unfounded or excessive.

Controllers must be able to provide information on the actual identity of all individuals and organizations to whom personal data is disclosed. This can be done for example, by maintaining up-to-date records on the  sharing of personal data or by any other (technical) means.

For further information and to discuss what these new developments mean to you, please get in touch with your Baker McKenzie data protection specialist.


In more detail

The case in question involved an individual who requested that Österreichische Post, the principal operator of postal and logistical services in Austria, reveal the identity of the recipients to whom it had disclosed their personal data.

Österreichische Post stated that it uses personal data, to the extent that this is legally permissible, for its activities as an address broker, and that it offers those personal data for marketing purposes to its business partners. The individual then brought a lawsuit against the company in Austria. During the judicial proceedings, Österreichische Post further informed the citizen of the categories of recipients, without however specifying their actual identity.

In this context, the Austrian Supreme Court requested a preliminary ruling from the CJEU on whether Article 15(1)(c) of the EU General Data Protection Regulation (GDPR) leaves to the data controller the choice to disclose either the specific identities of recipients or only their respective categories, or whether it affords the data subject the right to know the specific identities of recipients.

The CJEU ruled that, when personal data are disclosed to third parties, controllers have an obligation to provide the actual identity of those recipients to the data subjects upon their request, unless (a) it is impossible to identify those recipients (e.g., no data has been shared yet with one or multiple known third parties), or (b) the controller can demonstrate that the data subject’s information request is manifestly unfounded or excessive, in which cases the controller may indicate to the data subjects only the categories of recipient in question rather than their actual identity.

The CJEU highlighted that individuals need to access this information in order to be able to exercise their other rights provided by the GDPR, such as their right to rectification, erasure or their right to seek compensation for damages.

Author

Annie Elfassi is the Partner in charge of the Litigation and Employment departments of Baker McKenzie's Luxembourg office. She has over 19 years of experience. Prior to joining the Firm in 2019, Annie Elfassi was a member of the Litigation and Risk Management practice and headed the Employment department of a leading law firm in Luxembourg.

Author

Florence D'Ath is senior associate and head of the IPTech Practice Group in Luxembourg. Florence has more than eight years of experience in advising clients and representing them in court or in other proceedings. Prior to joining Baker McKenzie, Florence was a member of the Litigation and Risk Management Department of a leading Benelux law firm in Brussels and Luxembourg. She holds a doctorate in data protection law and regularly publishes academic articles in that field. She teaches EU law and data protection law at the University of Luxembourg and provides advanced training courses in commercial, IP/IT and regulatory law for both the private and public sector.

Write A Comment