European citizens have the right to know that their data has been sold to companies. In its ruling, the European Court of Justice says that any member of the European Union may request this under the General Data Protection Regulation and that companies must name certain companies.
European Court of Justice Disclosed In a case brought by an Austrian against Österreichische Post, the national postal company that produces the country’s telephone directory, among other things. To this end, citizens’ data is sold to companies that purchase it for marketing purposes. In 2019, the man wanted to know which companies the newspaper did. De Post responded only with a general statement that the data was sent to “companies”, but without mentioning those companies by name. The man sued all the way to the highest European judicial body to find out the specific companies involved.
The man resumes Article 15 of the General Data Protection Regulation, also known as the right of access. It states that a person has a right to know the purpose for which their data has been sold, but like many GDPR articles, the exact interpretation of this is not clear and has to be determined by practical cases. So the European Court also raised the issue of whether, under the right of access, only a class of companies should be reported, or whether the observer should identify the participating companies.
The court now concludes the latter. According to the Court of Justice, the information contained in the right of access must be “as accurate as possible”. In particular, this right of access means that the data subject may obtain from the controller information about the specific recipients to whom the data has been or will be disclosed, or may choose to request information relating only to categories of recipients.
In the ruling, the court also writes that a company or body does not have to provide information if the request is “unfounded or excessive”, for example if it concerns repeated requests. In this case, the data processor may demand money or even refuse to comply with the request, but, the judge says: “It is up to the controller to prove the manifestly unfounded or excessive nature of the request.”