Recently there have been 2 cases in Austria concerning the issues of the right to access. Specifically, if the individuals (or organizations) who have received personal data due to a data breach should be named as recipients, when data subject uses the right to access and if controller has a choice to disclose the specific identities of recipients or only their respective categories
In the first case, an individual (the plaintiff) requested Österreichische Post (the defendant ), who is the principal operator of postal and logistical services in Austria, to reveal the identity of the recipients to whom it had disclosed their personal data.
The defendant stated that it uses personal data, to the extent that this is legally permissible, for its activities as an address broker, and that it offers those personal data for marketing purposes to its business partners. The iplaintiffl brought a lawsuit against the company in Austria. During the judicial proceedings, Österreichische Post further informed the citizen of the categories of recipients, without however specifying their actual identity.
The Austrian Supreme Court requested a preliminary ruling from the CJEU on whether Article 15(1)(c) of the EU General Data Protection Regulation (GDPR) leaves to the data controller the choice to disclose either the specific identities of recipients or only their respective categories, or whether it affords the data subject the right to know the specific identities of recipients.
The CJEU ruled that, when personal data are disclosed to third parties, controllers have an obligation to provide the actual identity of those recipients to the data subjects upon their request, unless
(a) it is impossible to identify those recipients (e.g., no data has been shared yet with one or multiple known third parties),
or
(b) the controller can demonstrate that the data subject’s information request is manifestly unfounded or excessive, in which cases the controller may indicate to the data subjects only the categories of recipient in question rather than their actual identity.
The CJEU addressed that this is essential for individuals to have access to this information in order to be able to exercise their other rights provided by the GDPR, such as their right to rectification, erasure or their right to seek compensation for damages.
Second case, concerned the issue if the recipients of personal data due to a databreach should be named when the data subjects use of their right of access.
From January 2021 till June 2021, the defendant, company was running COVID test centres, was doing PCR tests. In August 2021, the former CEO of the company sent an e-mail with an Excel-spreadsheet attached to someone outside the company. This Exel file contained more than 24.000 test results and personal data of the testees (name, address, birthday, test date and result).
The leak was reported by 2 newspapers, who received that Exel file later. The plaintiff has requested access to his personal data but did not receive any information regarding the data breach. The plaintiff argued that the information was incomplete, which constituted a breach of Art. 15(1)(c) and 34 GDPR.
In its decision from March 24, 2023, the Austrian Supreme Court of Justice (OGH Österreich, 6 Ob 242/22i) ruled that the controller had to provide the requested information about the data breach on the basis of Art. 15 GDPR. In the courts opinion the right of access includes any information on unauthorized disclosure, e.g., in case of a data breach.
This means, data subject has the right to be informed about the fact that their data was disclosed and by what means, even if the particular recipient is unknown to the controller.
Comments