The applicant claims that Österreichische Post as “Personal Data Controller” (data controller) under a legal obligation to disclose such information to users as “Owner of Personal Data” (data subject) in accordance with the EU General Data Protection Regulation: GDPR)
Which requires that the owner of personal data has the right to receive information about the recipients (recipients) or categories of recipients (categories of recipients) whoPersonal informationIt is revealed or will be revealed.
The provider responds to the subscriber’s request. By providing information that is not specific to the recipient of the data, that is, only providing information that The service provider uses personal data to the extent permitted by law when carrying out its activities.
As a publisher of telephone directories and has disclosed or transferred that personal data to partners. for marketing purposes without identifying the specific agency or organization receiving the transfer or disclosing the information
Users of such a service therefore exercised the legal right to sue in the Austrian court. have jurisdiction to seek a court order to compel the service provider to disclose information about the assignee which is their own legal right claiming that “Everyone has the right to know to whom their personal data has been disclosed.”
during the trial Österreichische Post has informed users in more detail that their personal data is transferred to the Company’s clients. Including mail order advertisers. Stationery stores, IT companies, mailing list providers and associations.
such as charitable organizations Non-profit organizations (NGOs), including political parties, for example, provide details about the categories of recipients.
The Austrian Supreme Court (Oberster Gerichtshof) has submitted a request to the Court of Justice of the European Union to rule on the legal question of GDPR.
The owner of personal data has the right to know the details. It is sufficient to indicate either the specific recipients of the personal data transfer or just the recipient category.
The European Court of Justice ruled that the personal data controller is responsible for processing the data subject’s requests. by providing specific recipients
The exception is if the recipient cannot be identified. or if a personal data controller shows that the request is clearly unfounded or excessive. The personal data controller can only determine the categories of recipients.
The court also drew attention to thatright of access of a personal data subject is necessary so that a personal data subject can exercise other rights prescribed by law
For example, the right to correct personal data to be correct, the right to request erasure, the right to stop the processing. The right to object to processing or the right to sue/complain when there is damage The right to request access is therefore the most basic and basic right of every user as a data subject according to the GDPR.
Because the owner of personal information cannot know with whom or which organization his or her information resides. The owner of the personal data will not be able to exercise any legal rights against the transferee.
from the court’s judgment in such cases Consequently, EU institutions subject to the interpretation guidelines of the Supreme Court of the Union (30 countries) may have to make significant adjustments to their privacy governance.
That is, the organization will be able to provide information to the level. “Specifically identify the transferee” in order to be able to provide information in accordance with the request for rights Organizations need detailed data lists, data mapping and a complete record of processing activities (ROPA).
because if there is no such action from the beginning it will not be able to respond to the request to exercise the rights of the data subject in accordance with the law Including it may be necessary to update the details of the notice and prepare a privacy notice as well
from the case study above Compared to the duties of the data controller and the rights of the data subject in accordance with the Personal Data Protection Act BE 2562 with the corresponding laws as follows
(1) to collect personal information The Personal Data Controller will notify the Personal Data Subject of the categories of people or entities to whom the Personal Data collected may be disclosed (Article 23(4) privacy notice).
(2) The data subject has the right to request access. and obtain a copy of personal data relating to them which is the responsibility of the data controller or request disclosure of such personal data for which he/she has not given consent And the data controller must personally comply with the request.
An application can only be refused if it is a legal refusal or a court order. And accessing and obtaining a copy of personal data will have an effect that may harm the rights and freedoms of others (Article 30 right of access).
(3) have the personal data manager record the transactions “Use or Disclosure of Personal Data to Individuals or Entities Receiving Personal Data” (Article 39(6) ROPA)
In conclusion, according to the law, personal data can be transferred and disclosed. (according to the legal conditions), but must also tell the owner of that personal data “Whose information is it?”
source: Court of Justice of the European Union. Judgment of the Court in Case C-154/21. PRESS RELEASE No. 4/23, Luxembourg, 12 January 2023. https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-01/cp230004en.pdf
Technology, Law and Security Perspectives
Pantaree Auijinda
Raweewan Khantiwiriyaphanich
DPOAS Limited Company
