In a decision of 12 January 2023, the European Court of Justice (“ECJ”) clarified the scope of Article 15(1)(c) of Regulation (EU)2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
Legal context and background
Article 15(1)(c) of the GDPR establishes a right of access of the data subject and enables the data subject to obtain from the controller confirmation as to whether or not his or her personal data are being processed, and, where that is the case, access to this data and to the recipients or categories of recipient to whom the personal data have been or will be disclosed.
Based on this Article, the claimant, an Austrian citizen, asked the Österreichische Post (“Post”) in January 2019 (i) to be given access to his personal data and (ii) in the event that the data had been disclosed to third parties, information on the identity of the recipients.
Post refused to access the claimant’s request.
Proceedings before the Austrian courts and referral to the ECJ
The claimant initiated a legal action against Post before the Austrian courts, seeking an order for Post to provide him with the identity of the recipients of the personal data disclosed. During the proceedings, Post informed the claimant of the categories of recipients to whom the data are transferred.
The courts on first instance and on appeal dismissed the claimant’s action on the ground that Article 15(1)(c), by referring to “recipients or categories of recipient”, gives the controller the option of informing the data subject only of the categories of recipient, without having to identify by name the specific recipients to whom personal data are transferred.
The claimant brought an appeal before the Austrian Supreme Court, which decided to refer to the ECJ for a preliminary ruling, as it considered that it was not clear if Article 15(1)(c) grants the data subject the right of access to information relating to the specific recipients of the disclosed data, or if the controller has discretion as to how to respond to a request for access to information about the recipients.
Decision of the ECJ - obligation on the part of the controller to provide the data subject with the identity of the recipients
The ECJ first noted that the terms “recipients” and “categories of recipients” used in Article 15(1)(c) are used in succession, without it being possible to infer an order of priority between them.
The ECJ then referred to recital 63 of the GDPR, which states that data subject must have the right to know and obtain communication in particular with regard to the recipients of the personal data. Recital 63 does not state that that right may be restricted solely to categories of recipient.
The ECJ further highlighted that in accordance with the principle of transparency, the data subject must have information about how his or her personal data are processed and that that information be easily accessible and easy to understand.
The ECJ finally reminded that the exercise of the right of access must enable the data subject to verify that his or her data have been disclosed to authorized recipients.
Based on the above reasoning, the ECJ concluded that the data subject must have the right to be informed of the identity of the specific recipients where his or her personal data have already been disclosed.
The information provided to the data subject must be as precise as possible. In particular, the ECJ ruled that that right of access entails the ability of the data subject to obtain from the controller information about the specific recipients to whom the data have been or will be disclosed or, alternatively, to elect merely to request information concerning the categories of recipient. The choice is hence on the data subject and not on the controller.
Exceptions identified by the ECJ
The ECJ reminded that the right to the protection of personal data is not an absolute right, and that it must be balanced against other fundamental rights, in accordance with the principle of proportionality.
As a consequence, the ECJ ruled that the right of access may be restricted to information about categories of recipient if it is impossible to disclose the identity of specific recipients, in particular where they are not yet known.
In addition, the ECJ reminded that, under Article 12(5)(b) of the GDPR, the controller may refuse to act on requests from a data subject where those requests are manifestly unfounded or excessive.
Conclusion
While this decision of the ECJ is in line with the core principles established by the GDPR, it has the merit of providing an interesting clarification on how to address the right of access of the data subjects.
Share on