More specifically, clarifying the interpretation of article 15(1)(c) of the GDPR, which provides:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
A data subject requested Österreichische Post (the main postal / logistics operator in Austria) to disclose to him the identity of the recipients to whom it had disclosed his personal data.
The request was made on the basis of the GDPR’s Right of Access.
In response to the request, Österreichische Post only stated that it uses personal data to the extent permissible by law, in the course of its activities as publisher of directories and that it offers such personal data to trading partners for marketing purposes.
Judicial proceedings were then brought before the Austrian courts and during such judicial proceedings, Österreichische Post further informed the data subject that his personal data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties – therefore Österreichische Post provided the categories of respective recipients to the data subject, without disclosing their specific identity.
The Supreme Court in Austria (the “Oberster Gerichtshof”), while hearing the dispute as last instance, referred to the CJEU for a Preliminary Ruling on whether the GDPR leaves the data controller the choice to disclose to a data subject either the specific identity of the recipients of his personal data or only the categories of recipients, or whether it gives the data subject the right to know their specific identity.
The CJEU ruled that article 15(1)(c) of the GDPR with regard to the Right of Access, is to be interpreted as meaning that where the personal data have been or will be disclosed to recipients, that there is an obligation on the part of the controller to provide the data subject with the actual identity of those recipients.
That said, the CJEU also:
In such cases, the controller may indicate to the data subject only the categories of recipients in question (instead of the actual identity of those recipients).