Scope of the Right of Access to Personal Data – An Interesting Case from Austria

Scope of the Right of Access to Personal Data – An Interesting Case from Austria

April 12, 2023

Recently, the European Court of Justice passed a significant judgment regarding the exercise of the right of access by the data subject, in relation to the case that happened in Austria in this respect.

Details of the case

Namely, the Austrian postal service maintained an extensive database of Austrian residents, which data were shared with third parties (e.g., advertisers, humanitarian organizations, etc.). When the data subjects requested information about the individual recipients of their personal data from the subject postal service as the controller, the post rejected their request, and listed only categories of recipients, but did not individualize them in any way.

This case eventually ended up before the European Court of Justice, which found that the actions of the Austrian postal service in the specific situation were not in accordance with the provisions of the GDPR, for the following reasons.

The position of the court

According to the court’s interpretation of the provisions of the GDPR, in order for the data subjects to be able to exercise their right of access to personal data (which is determined by the provisions of Article 15 of the GDPR) in full, i.e., so as to achieve the purpose for which the subject right was established, data subjects must be aware of the identity of individual recipients of this data, i.e., persons with whom the controller shared the data.

In this sense, before the specific transfer of personal data is carried out, so it is impossible to identify the individual recipients of the data, the controller is obliged to present to the data subject information about the persons to whom the data may be disclosed, which, accordingly, may imply a specific category of recipients as well. However, after the data transfer has been carried out, the controller is obliged, at the request of the data subject, to inform that person about the identity of the specific recipients to whom the data was disclosed.

Restrictions of the right of access

However, the right of access to personal data is not unrestricted.

Namely, the court stated in the subject decision that the controller is entitled to refuse access to the data if such request is clearly, i.e., obviously unfounded, or excessive (e.g., if it is made too often), with the burden of proving the relevant circumstances being on the controller.

Otherwise, the right of access to personal data is also recognized by the provisions of the Law on Personal Data Protection of the Republic of Serbia, thus the position taken in the respective judgment can be applied accordingly to the processing carried out by domestic controllers.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.