Advocate General Pitruzzella delivered an opinion on the right of access to personal data under Article 15 GDPR

On June 9, 2022, the Advocate General of the European Court of Justice Pitruzzella delivered an opinion on Case C-154/21 (“Opinion,” full text of the Opinion available here), a reference for a preliminary ruling from the Supreme Court of Austria filed on March 9, 2021 (full text of the request available here), concerning the interpretation of Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR,” full text available here), which establishes a data subject’s right of access to their personal data being processed by a data controller.

The Austrian Supreme Court asked the European Court of Justice (“ECJ”) to clarify the scope of Article 15(1)(c), which establishes a data subject’s right to obtain from the data controller information on the recipients or categories of recipient to whom the personal data have been or will be disclosed. In a nutshell, the referring court asked whether it was correct to interpret the provision as requiring the data controller to provide information on specific recipients when the data has already been disclosed and to limit this obligation to information on categories of recipients when the data has not been disclosed yet.

According to AG Pitruzzella, it is not up to the data controller to determine the extent of the information to be provided, but it is up to the right holder to decide whether to access information concerning specific recipients or to categories of recipients. This interpretation is confirmed by the difference in the structure of provisions such as Articles 13 and 14 of the GDPR, which place an obligation on the data controller, and Article 15, which instead considers the data subject to hold a right that cannot be limited by the data controller at its own discretion.

This is corroborated by recital 63 GDPR, which provides the right of the data subject to obtain information about the specific recipients to whom data has been disclosed. According to AG Pitruzzella, recital 63 also makes clear that the purpose of the right of access is to enable the data subject to verify that their personal data is lawfully processed, which implies that the data subject must be able to verify that the data are disclosed to authorized parties.

In addition, AG Pitruzzella cited the ECJ case law in which the court affirmed that the right of access provides the means through which data subjects are able to exercise the other rights established by Articles 16, 17, 18, and 21 GDPR, namely, the right to rectify, delete, restrict processing of, or object to processing of data. The right of access is also necessary to enable data subjects to take legal action in the event they suffer harm, and to allow them to obtain the compensation provided by Articles 79 and 82 GDPR. Without information on the recipients of the data, a data subject would be prevented from exercising those rights against them, thus depriving the aforementioned provisions of their effectiveness.

Finally, AG Pitruzzella pointed out that Article 19 GDPR requires the controller to communicate to the recipients to whom personal data has been disclosed and any requests for rectification, erasure, or restriction of processing of the data, thus implying that the data subject must be in a position to verify that those subjects have complied with such requests following data controller notification.

So, according to AG Pitruzzella, to enable a data subject to exercise rights under the GDPR, Article 15(1)(c) must be interpreted as requiring the data controller to provide information on specific recipients to whom the data has been disclosed.

However, AG Pitruzzella highlighted two scenarios where this obligation may not apply: (i) when it is impossible for the data controller to provide this information, for instance, because the recipients have not been identified yet; and (ii) when the data controller can prove that the request from the data subject is manifestly unfounded or excessive, pursuant to Article 12(5) GDPR.

The case at issue originated from a natural person (the “Appellant”) exercising his right of access against Österreichische Post, the main provider of postal and logistical services in Austria, which refused to communicate any information on the specific recipients to whom the Appellant’s personal data was disclosed. Österreichische Post only stated that it had processed the Appellant’s data in the context of its activity as a publisher of telephone directories, and that it had provided this data to business customers for marketing purposes.

The Appellant took the case to court, claiming that the information thus provided did not satisfy the requirements of Article 15 (1)(c). However, both the court of first instance and the appellate court dismissed his claims, holding that the data controller is allowed to provide only information on the categories of recipients, since Article 15(1)(c) of the GDPR equally refers to recipients or categories of recipients. The Appellant pursued his claim before the Supreme Court of Austria, which stayed the proceeding and referred a request for a preliminary ruling to the ECJ.

Finally, it is worth recalling that opinions from the Advocate General are not binding upon the ECJ. Rather, they are recommendations on how to address the questions analyzed. In the coming months the ECJ will deliver its judgment, which will be binding upon national courts.

Seguici su