https://usancen.lawthek.eu/en/blog/lawthek/ogh-on-the-right-of-access-under-art-15-gdpr-49f3cc05/
Data Privacy Law 

OGH on the Right of Access under Art 15 GDPR

Benn-Ibler Rechtsanwälte

COVID  ECJ  GDPR  categories of recipients  data leakage  recipients  right of access  All tags

The Austrian Supreme Court (Oberster Gerichtshof, hereinafter OGH) has clarified: The framework of Art 15 of the General Data Protection Regulation (hereinafter GDPR) includes the right to information as to whether personal data has been disclosed to a specific recipient.

The defendant limited liability company had carried out PCR tests for the Coronavirus disease in Tyrol. In 2021, the managing director of the defendant sent an Excel file with more than 24,000 test results by email to at least one person outside the defendant company. Subsequently, this data was leaked to the Austrian Broadcasting Corporation, ORF, and the daily Der Standard, both of which published reports on a ‘massive data leak of positive COVID tests.’

The plaintiff, who had tested positive with the defendant, requested information on whether he had been affected by the data breach, i.e. whether his personal data had been disclosed to a specific recipient. The defendant refused to provide this information contrary to Article 15 of the GDPR, which is why the plaintiff wanted to obtain it through court action.

The defendant countered that there was no right to information regarding specific recipients, as Article 15 GDPR only refers to ‘recipients or categories of recipients.’ The request for information about specific recipients was therefore excessive.  

The lower courts supported the plaintiff’s right to access, as did the OGH:

According to Art. 15 GDPR, there is a right to information obtainable from the responsible person about recipients or categories of recipients to whom personal data has been disclosed.

The purpose of the right to information under Art. 15 GDPR is to enable data subjects to check whether their data have been processed in a lawful manner, in particular whether their data has been disclosed to recipients who are authorised to process any such data. This is essential in order for data subjects to be able to exercise their rights such as the right to have data deleted or to have data- processing restricted, but also to be able to claim damages (if any).

In order to ensure the practical effectiveness of these rights, Article 15 GDPR also requires information on whether the data subject is actually affected by a data transfer to a specific recipient.

OGH 6 Ob 227/22h (24.03.2023)



More Services

LawThek Efficient Legal Information LawThek uses cutting-edge technologies like graph databases and AI to make legal information accessible. (opens in new tab) JobThek Legal Jobs The job board for legal professionals – find your next career opportunity in the legal sector. (opens in new tab) LegalNetics Innovative LegalTech Solutions Transform your legal documents into connected knowledge with LegalNetics. (opens in new tab)