EU court: companies must specify to whom they give citizen or customer data
European citizens have the right to know to which companies their data has been sold. The European Court of Justice says in a ruling that any EU member may request this under the GDPR and that companies must name specific companies.
The European Court of Justice spoke out in a case brought by an Austrian against the Österreichische Post, the national postal company that produces the country’s telephone directory, among other things. To this end, citizens’ data is sold to companies, which purchase it for marketing purposes. In 2019, the man wanted to know which companies the Post had done that to. De Post only responded with a general statement that the data was sent to ‘companies’, but without mentioning those companies by name. The man litigated all the way to the highest European judicial body to find out which specific companies are involved.
The man appeals Article 15 of the GDPR, also known as the right of access. It states that a person has the right to know what their data has been sold for, but like many articles of the GDPR, the precise interpretation of this is unclear and must be defined by practical cases. The European Court was therefore also asked whether, under the right of access, only a category of companies needs to be communicated, or whether a controller must specify which companies are involved.
The Court now concludes the latter. According to the Court of Justice, the information under the right of access must be ‘as accurate as possible’. “In particular, this right of access means that the data subject may obtain from the controller information about the specific recipients to whom the data have been or will be disclosed, or may choose to request information only regarding the categories of recipients” , writes the Court.
In the judgment, the Court also writes that a company or body does not have to provide the information if the request is ‘unfounded or excessive’, for example if it concerns repetitive requests. In that case, a data processor may ask for money or even refuse to comply with the request, but, the judge says: “It is up to the controller to demonstrate the manifestly unfounded or excessive nature of the request.”