Everyone has the right to know to whom their data has been disclosed, according to the CJEU. Following this CJEU ruling on January 12, 2023, the requirements for businesses regarding data protection are likely to increase.
In IT law, data protection law plays a crucial role. The protection of personal data has been significantly sharpened by the introduction of the General Data Protection Regulation – GDPR. Violations of the GDPR can result in severe sanctions for companies, explains the commercial law firm MTR Legal Rechtsanwälte, which focuses a significant part of its advisory services on IT law and data protection.
The judgment of the Court of Justice of the European Union dated 01/12/2023 (Case No. C-154/21) is likely to further raise the requirements for data protection for companies. This is because personal data frequently flows back and forth between many companies. The CJEU has now made it clear that everyone has the right to know to whom their personal data has been disclosed. Exceptions are only possible within a narrow framework, according to the court.
The CJEU case concerned a situation from Austria. A citizen wanted to know from the Austrian Postal Service to which recipients his personal data had been forwarded, invoking the General Data Protection Regulation. According to the GDPR, every data subject has the right to know to which specific recipients or recipient categories their personal data has been or will be disclosed.
The Austrian Postal Service provided the information only gradually and disclosed over the course of the proceedings that the claimant’s data had been shared with advertising companies, companies in the shipping or retail sector, IT companies, address publishers, associations, charitable organizations, and political parties. The Supreme Court in Austria wanted to know from the CJEU whether the mention of such recipient categories was sufficient or whether the specific recipients had to be disclosed.
The CJEU decided that when personal data is disclosed, the data subject has the right to know the identity of the recipients upon request. Restricting the information to categories is only permissible if it is not possible to identify the recipient or if the request is manifestly unfounded or excessive. This right to information is necessary for the data subject to exercise their other rights granted to them under the GDPR, according to the CJEU.
Lawyers experienced in IT law provide advice on data protection issues at MTR Legal Rechtanwälte.
