Everyone has the right to know to whom their data has been disclosed, according to the CJEU. Following this CJEU ruling of January 12, 2023, the requirements for companies on data protection are likely to increase.
In IT law, data protection law plays a significant role. The protection of personal data has been significantly tightened with the introduction of the General Data Protection Regulation – GDPR. Companies may face severe penalties for violations of the GDPR, explains the law firm MTR Legal Rechtsanwälte, which focuses part of its consultancy on IT law and data protection.
The judgment of the Court of Justice of the European Union of January 12, 2023 (Ref. C-154/21) is likely to increase the data protection requirements for companies once again. This is because personal data flows between many companies. The CJEU has now made it clear that everyone has the right to know to whom their personal data has been disclosed. Exceptions are only possible in a narrow scope, according to the court.
The case before the CJEU concerned an incident from Austria. A citizen wanted to know from the Austrian Post to which recipients their personal data had been forwarded and referred to the General Data Protection Regulation. According to the GDPR, every affected person has the right to know which specific recipients or categories of recipients their personal data has been or will be disclosed to.
The Austrian Post provided information only piecemeal and during the proceedings indicated that the plaintiff’s data had been disclosed to advertising companies, companies in mail order or retail trade, IT companies, address publishers, associations, charities, and political parties. The Supreme Court in Austria wanted to know from the CJEU whether mentioning such categories of recipients was sufficient or whether the specific recipients had to be disclosed.
The CJEU ruled that when personal data is disclosed, the data subject has the right to know the identity of the recipients upon request. Limiting the information to categories is only permissible if it is not possible to identify the recipient or if the request is manifestly unfounded or excessive. This right to information is necessary so that the data subject can exercise their other rights to which they are entitled under the GDPR, according to the CJEU.
Experienced IT law attorneys advise at MTR Legal Rechtsanwälte on data protection issues.
