New GDPR rights established: Austrian Postal Service Must Disclose Recipients of Personal Data, EU Court Rules

Reading time: 2 minutes
Twitter
LinkedIn

The European Court of Justice has ruled that Austrian postal service Österreichische Post must disclose to the data subject the identity of any recipients to whom they have disclosed personal data.

The case was brought to the court by a citizen of Austria who requested Österreichische Post to disclose to him the identity of the recipients to whom they had disclosed his personal data. The citizen argued that the EU General Data Protection Regulation (GDPR) provides that the data subject has the right to be informed about the recipients or categories of recipient to whom their personal data have been or will be disclosed.

In response to the citizen’s request, Österreichische Post only stated that they use personal data in the course of their activities as a publisher of telephone directories, and that they offer personal data to trading partners for marketing purposes.

The case was then brought to the Austrian Supreme Court, who sought clarification from the European Court of Justice on whether the GDPR leaves the data controller the choice to disclose either the specific identity of the recipients or only the categories of recipient, or whether it gives the data subject the right to know their specific identity.

In today’s judgment, the Court ruled that where personal data have been or will be disclosed to recipients, the controller must provide the data subject, on request, with the actual identity of those recipients. This is the case even if it is not yet possible to identify those recipients, or the request is manifestly unfounded or excessive.

The Court noted that the data subject’s right of access is necessary to enable them to exercise other rights conferred by the GDPR, such as their right to rectification, right to erasure, right to restriction of processing, right to object to processing or right of action where they suffer damage.

In practical terms it means that Zoom, RocketReach and similar have to divulge who purchased your email address if asked. The implications are huge, and yet another reason to think twice before purchasing email and personal data.

Hat-Tip to Rie Aleksandra Walle of the ‘Grumpy GDPR podcast’ for bringing this to our attention.