The right to know who has your personal data (RW v Österreichische Post AG (C-154/21))
In RW v Österreichische Post AG (C-154/21), the European Court of Justice ("ECJ") has provided clarification on the right of access to personal data and information relating to the processing of such data under Article 15(1) of the GDPR. Although the wording of Article 15(1)(c) provides that data subjects have the right to obtain from a data controller information as to "the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisation" (emphasis added), the ECJ has ruled that this provision does not grant data controllers the option of choosing between identifying specific recipients or categories of recipients. Rather, when responding to data subject requests, EU-based data controllers must disclose the actual identity of the recipients save where it is impossible to identify them, or they can demonstrate that a request for access is manifestly unfounded or excessive.
In January 2019, RW, a private individual, made a request under Article 15 for Österreichische Post AG (the Austrian postal service, "OP") to provide access to any personal data being stored by OP and, if the data had been disclosed to third parties, for information as to the identity of the recipients. OP declined to accede to this request. Instead, OP explained that it uses data, to the extent permissible by law, in the course of its professional activities and that it offers the personal data to trading partners for marketing purposes.
RW subsequently issued proceedings in the Austrian courts, seeking an order that OP provide him with the specific identity of the recipients of his personal data. During these proceedings, OP provided RW with information as to how his personal data was processed and the categories of recipient to whom the personal data had been disclosed. The personal data had been processed for marketing purposes and disclosed to its customers, which included advertisers, IT companies, mailing list providers, charitable organisations, NGOs and political parties.
At first instance and on appeal, the Austrian courts dismissed the proceedings finding that the wording of Article 15(1)(c) gave controllers the option of informing the data subject only of the categories of the recipient, without having to identify the specific recipients of the personal data. The case was then referred to the ECJ by the Austrian Supreme Court which sought clarification on the correct interpretation of the wording of Article 15(1)(c), asking whether the provision must be interpreted as meaning that a data controller has an obligation to provide a data subject with the specific identity of the recipients of its personal data.
What did the Court decide?
For the following reasons, the ECJ held that the correct interpretation of Article 15(1)(c) placed an obligation on data controllers to provide the data subject with the actual identity of the recipients unless it is impossible to identify them, or the data controller can demonstrate that a request for access is manifestly unfounded or excessive (per Article 12(5)(b) of the GDPR):
- While it is not possible to infer an order of priority between the terms 'recipients' and 'categories of recipients' on the wording of Article 15(1)(c), the Court noted that the corresponding recital (recital 63) did not allow for the right of access to be restricted solely to categories of recipient.
- All processing of personal data must comply with the principles enshrined in Article 5 of the GDPR. The third principle, transparency, requires data subjects to be provided with information about how their personal data is processed and that that information be easily accessible and easy to understand.
- Article 15 provides data subjects with a genuine right of access. When this right is exercised, a data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient. It is the data subject, not the data controller who may choose between the two alternatives specified in the provision.
- The right of access must allow a data subject to verify that their data are correct and are being, or have been, processed in a lawful manner. This enables a data subject to exercise their rights to rectification, erasure or restriction of processing under Articles 16, 17 and 18, as well as their right to object to processing under Article 21 or right of action following damage being suffered, under Articles 79 and 82 of the GDPR. To effectively exercise these rights, a data subject must have the right to be informed of the identity of the specific recipients where their personal data have already been disclosed. Further, the Court noted that this was consistent with the terms of the notification obligation for data controllers under Article 19 of the GDPR.
This preliminary ruling should not come as a surprise, reflecting the reasoning set out in the Advocate General's opinion on this case issued in July 2022. However, with ECJ rulings no longer legally binding in the UK, the immediate implications of this judgment are limited for data controllers based within the UK. However, Such data controllers should bear in mind that the terms of Article 15(1)(c) of the UK GDPR are identical as for the same provision under the EU GDPR and, as a result, the judgment is likely to be highly persuasive in disputes arising in the UK.
UK-based data controllers should therefore be prepared for data subjects to press for the specific identity of the recipients (if any) of their personal data in any request for access under Article 15(1)(c). Save where it is materially impossible for the data controller to identify the specific recipients of personal data or where the request for access is manifestly unfounded or excessive (or, alternatively, where a data subject deliberately restricts their request to include categories of recipient), it would be prudent for UK-based data controllers to put systems in place to allow them to provide the necessary information.