Cordery

Legal.Compliance.

European Court Rules EU GDPR Right of Access Allows Individuals to Request the Identity of Each Data Recipient, Subject to Certain Limitations

What’s this about?

This matter was an Austrian preliminary reference case before the European Court of Justice (the European Court), RW -v- Österreichische Post AG (the main operator of postal and logistical services in Austria – “the Austrian postal service”), which concerned a request for access to personal data under the EU General Data Protection Regulation (EU GDPR).

In this case, in sum, the European Court (recently) ruled that every person has the right to know to whom her or his personal data have been disclosed, subject to certain limitations. This article is a brief look at this case.

What’s the background to the case?

An individual, “RW”, made a so-called Subject Access Request (SAR) to the Austrian postal service to disclose to the individual the identity of the recipients to whom the postal service had disclosed the individual’s personal data.

The individual relied on Article 15(1)(c) of EU GDPR which provides that a data subject (an individual) has the right to obtain from a data controller information about the recipients or categories of recipient to whom her or his personal data have been or will be disclosed.

In response to the SAR, the Austrian postal service stated that it used personal data, to the extent permissible by law, in the course of its activities as a publisher of telephone directories and that it offered those personal data to trading partners for marketing purposes.

The individual brought proceedings against the Austrian postal service before the Austrian courts seeking an order that the Austrian postal service provide the individual with, inter alia, the identity of the recipient(s) of the personal data disclosed.

During the judicial proceedings the Austrian postal service further informed the individual that the individual’s personal data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties.

The lower courts at first instance and then on appeal dismissed the individual’s action on the ground that Article 15(1)(c) of EU GDPR, by referring to “recipients or categories of recipient”, gives a data controller the option of informing an individual only of the categories of recipient, without having to identify by name the specific recipients to whom personal data are transferred.

The case eventually reached the Austrian Supreme Court which then stayed the national legal proceedings and referred the case for interpretation under EU law to the European Court. In essence, the question asked by the Austrian Supreme Court was whether Article 15(1)(c) of EU GDPR must be interpreted as meaning that an individual’s right of access to personal data concerning her or him, provided for by that provision, entails, where those personal data have been or will be disclosed to recipients, an obligation on the part of the data controller to provide the individual with the specific identity of those recipients

What did the court rule?

The European Court ruled, that:

  • An individual “[…] has the right to obtain from a data controller information about the specific recipients to whom the personal data concerning her or him have been or will be disclosed”;
  • But, the court also “[…] emphasised that, as is apparent from recital 4 of the GDPR, the right to the protection of personal data is not an absolute right. That right must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality […]”;
  • “Accordingly, it may be accepted that, in specific circumstances, it is not possible to provide information about specific recipients. Therefore, the right of access may be restricted to information about categories of recipient if it is impossible to disclose the identity of specific recipients, in particular where they are not yet known”;
  • “In addition, it should be borne in mind that, under Article 12(5)(b) of the GDPR, the controller may, pursuant to the principle of responsibility referred to in Article 5(2) and recital 74 of that regulation, refuse to act on requests from a data subject where those requests are manifestly unfounded or excessive, it being specified that it is for the controller to demonstrate that those requests are unfounded or excessive”.

Consequently, the European Court said that because the Austrian postal service had refused the individual’s request to be informed of the identity of the recipients to whom the Austrian postal service had disclosed the personal data concerning the individual, it was now for the Austrian court to determine whether, in the light of the circumstances of the proceedings, the Austrian postal service had demonstrated that that request was manifestly unfounded or excessive.

Key takeaways

The practical upshot of this ruling is that organisations should consider reviewing their internal Subject Access Request policy and procedure to ensure that when considering their response to a SAR:

  • Where the personal data in question have been or will be disclosed to recipients, there is an obligation on the part of the data controller organisation to provide the individual making the SAR with the actual identity of those recipients,
  • Unless, it is impossible to identify those recipients or the data controller organisation can demonstrate that the individual’s requests for access are manifestly unfounded or excessive, in which cases the data controller organisation may indicate to the individual making the SAR only the categories of recipient in question.

It should be noted that the notions of what are “impossible”, “manifestly unfounded” or “excessive” will need to be carefully thought-through in a given set of circumstances.

Further Information

We have written about Subject Access Requests, including here https://www.corderycompliance.com/ico-sar-uk1/, here https://www.corderycompliance.com/sars-under-gdpr/, here https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/, and here https://www.corderycompliance.com/ico-sars-enforcement-lewisham-council/.

We write about privacy/data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.

The court’s judgement can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=269146&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=27746

For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.