https://usancen.lawthek.eu/en/blog/lawthek/ogh-disclosing-data-recipients-under-gdpr-39d14b9d/
Data Privacy Law 

OGH: Disclosing Data Recipients under GDPR

Benn-Ibler Rechtsanwälte

CJEU  ECJ  GDPR  TFEU  accuracy requirement  controller  data protection  disclosure  information request  intelligibility requirement  preliminary ruling  recipient 

In the case at hand, the Austrian Supreme Court (Oberster Gerichtshof, hereinafter OGH) examined a consumer request concerning the disclosing of personal data to third parties.

In 2019, the plaintiff had requested information from the defendant about which of his personal data the defendant was storing, where the data was stored and, if the data had been disclosed to others, to whom the data had been disclosed. The defendant referred the plaintiff to the company website where general information about data processing was posted. However, only illustrative references to categories of recipients were made there. In the course of the proceedings, the defendant admitted that data had also been disclosed to recipients who did not match the list on the website. The plaintiff therefore demanded full and complete disclosure, as the information given was neither in accordance with the requirement for conciseness nor the requirement for intelligibility under Article 12 GDPR.

The lower courts dismissed the action. The OGH made a request for a preliminary ruling under Art 267 of the Regulation on the Functioning of the European Union (TFEU) and held as follows:

Article 15 of the GDPR provides that the data subject shall have the right to obtain confirmation from the controller as to the purposes for which data are processed, also which data are processed and to which recipients or categories of recipients the data will be disclosed. However, it is not clear whether requests for information ought to be limited if specific recipients have not yet been identified, and whether such disclosure necessarily extends to individual recipients in the case that data have already been disclosed. In this regard, the Court of Justice of the European Union (CJEU) answered:

Article 15(1)(c) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) is to be interpreted as meaning that where personal data have been or will be disclosed, the controller is obliged to inform the data subject of the identity of the recipients. However, this obligation does not apply if the identity of the recipients cannot be identified or the controller demonstrates that requests for information are manifestly unfounded or excessive pursuant to Article 12(5) of the GDPR.

OGH 6 Ob 20/23v (17.02.2023)




More Services

LawThek Efficient Legal Information LawThek uses cutting-edge technologies like graph databases and AI to make legal information accessible. (opens in new tab) JobThek Legal Jobs The job board for legal professionals – find your next career opportunity in the legal sector. (opens in new tab) LegalNetics Innovative LegalTech Solutions Transform your legal documents into connected knowledge with LegalNetics. (opens in new tab)