CDE Almería - Centro de Documentación Europea - Universidad de Almería

Centro de Documentación Europea de la Universidad de Almería

PRESS RELEASE No 4/23
Luxembourg, 12 January 2023
Judgment of the Court in Case C-154/21

2 personas firmando un papel

Nevertheless, the controller may indicate only the categories of recipient if it is impossible to identify the recipients or the request is manifestly unfounded or excessive

A citizen requested Österreichische Post, the principal operator of postal and logistical services in Austria, to disclose to him the identity of the recipients to whom it had disclosed his personal data.

He relied on the EU General Data Protection Regulation (GDPR). That regulation provides that the data subject has the right to obtain from the controller information about the recipients or categories of recipient to whom his or her personal data have been or will be disclosed.

In response to the citizen’s request, Österreichische Post merely stated that it uses personal data, to the extent permissible by law, in the course of its activities as a publisher of telephone directories and that it offers those personal data to trading partners for marketing purposes. The citizen therefore brought proceedings against Österreichische Post before the Austrian courts.

During the judicial proceedings, Österreichische Post further informed the citizen that his data had been forwarded mto customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties.

Asunto C-154/21 – RW contra Österreichische Post AG.

The Oberster Gerichtshof (Supreme Court, Austria), hearing the dispute at last instance, wishes to know whether the GDPR leaves the data controller the choice to disclose either the specific identity of the recipients or only the categories of recipient, or whether it gives the data subject the right to know their specific identity.

In its judgment, the Court replies that where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients. It is only where it is not (yet) possible to identify those recipients that the controller may indicate only the categories of recipient in question. That is also the case where the controller demonstrates that the request is manifestly unfounded or excessive.

The Court points out that the data subject’s right of access is necessary to enable the data subject to exercise other rights conferred by the GDPR, namely his or her right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object to processing or right of action where he or she suffers
damage.

Source: Press Release – Curia

Publicaciones relacionadas:

Spanish courts must ensure that clauses in mortgage loan contracts providing for the application of a variable interest rate are clear and understandable Judgment of the ECJ on the imposition of compensation claims for flight delays Poland, Hungary and the Czech Republic have failed to fulfil their obligations under European Union law peones de ajedrez en grupo y peón solitarioJudgment of the CJEU on homophobic discrimination in the workplace Intensified judicial response to serious cross-border crimes

“This is a space for debate. All comments, for or against publication, that are respectful and do not contain expressions that are discriminatory, defamatory or contrary to current legislation will be published”.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.