On the 12^th of January 2023, the Court of Justice of the EU (the “CJEU”), issued a Preliminary Ruling clarifying the interpretation of the Right of Access enshrined in the General Data Protection Regulation (the “GDPR”).

More specifically, clarifying the interpretation of article 15(1)(c) of the GDPR, which provides:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(…)

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(…)”

Background

A data subject requested Österreichische Post (the main postal / logistics operator in Austria) to disclose to him the identity of the recipients to whom it had disclosed his personal data.

The request was made on the basis of the GDPR’s Right of Access.

In response to the request, Österreichische Post only stated that it uses personal data to the extent permissible by law, in the course of its activities as publisher of directories and that it offers such personal data to trading partners for marketing purposes.

Judicial proceedings were then brought before the Austrian courts and during such judicial proceedings, Österreichische Post further informed the data subject that his personal data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties – therefore Österreichische Post provided the categories of respective recipients to the data subject, without disclosing their specific identity.

The Supreme Court in Austria (the “Oberster Gerichtshof”), while hearing the dispute as last instance, referred to the CJEU for a Preliminary Ruling on whether the GDPR leaves the data controller the choice to disclose to a data subject either the specific identity of the recipients of his personal data or only the categories of recipients, or whether it gives the data subject the right to know their specific identity.

Ruling

The CJEU ruled that article 15(1)(c) of the GDPR with regard to the Right of Access, is to be interpreted as meaning that where the personal data have been or will be disclosed to recipients, that there is an obligation on the part of the controller to provide the data subject with the actual identity of those recipients.

That said, the CJEU also:

1. Emphasised that the right to the protection (and access) of personal data is not an absolute right. That right must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. In turn, the CJEU accepted that as provided terms of article 19 of the GDPR, in specific circumstances, it may not be possible to provide information about specific recipients; and
2. Noted that in context of the Right of Access, it is also possible that a data controller refuses to act on the data subject’s request, if the data controller can demonstrate that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of article 12(5) of the GDPR.

In such cases, the controller may indicate to the data subject only the categories of recipients in question (instead of the actual identity of those recipients).

For further information and assistance about Data Protection and Privacy Law, kindly contact Dr Terence Cassar and Dr Ian Gauci.