The GDPR right to information gives the data subject the right to request comprehensive information from the person responsible about the type and scope of data processing relating to them. European case law has always been concerned with the scope and limits of mandatory information. The Austrian Supreme Court recently had to decide whether an unintentional disclosure of personal data in the context of a data leak must also be part of the information. Read more about the decision.
I. The facts
The defendant operates analysis stations and carries out diagnostic test procedures. She specializes in particular in PCR tests. From January to June 2021, she carried out corona tests in Tyrol and in this context processed the personal data of the people tested.
In August 2021, the defendant’s managing director at the time sent an Excel file by email to at least one person who did not work for the defendant. The file contained more than 24,000 corona virus test results from Tyrol with the associated personal data of the people tested, including name, place of residence, date of birth, test date and the test result and, in the case of a positive test, the virus mutation.
The file was then sent to “Standard” and “ORF-Tirol”, which reported on the incident in September of the same year under the headings “Thousands of Tyrolean PCR test results with names and data leaked” and “Massive data leak at positive CoV tests”.
It is not clear to whom the former managing director sent the email and who finally passed the file to “Standard” and “ORF-Tirol”.
The plaintiff requested information as to whether she was affected by the data breach presented by the defendant. On March 31, 2021, the defendant tested positive for the corona virus. Despite the defendant’s obligation to provide information under Art. 15 Para. 1 lit c and Art. 34 GDPR, the defendant refused the requested information. In addition, the defendant is obliged to provide information under the treatment work contract concluded between the parties.
The defendant already denied the existence of a right to information regarding certain recipients of personal data. The wording of Art. 15 GDPR shows that there is no right to positive or negative confirmation that a third party has allegedly violated the protection of personal data.
With regard to Art. 34 GDPR, the defendant argued that it was purely a regulatory provision from which no subjective right to information could be derived.
II. The decision
In its judgment of March 24, 2023 (Gz: 6Ob242/22i), the Austrian Supreme Court found that the lower courts had correctly assumed that the defendant had to provide the plaintiff with the requested information on the basis of Art. 15 GDPR.
According to Art. 15 Para. 1 GDPR, the person concerned has the right to request confirmation from the person responsible as to whether the personal data concerned are being processed. If this is the case, you have the right to information about the personal data, the right to information about the purposes of processing, the categories of personal data processed and the recipients or categories of recipients to whom the personal data has been or will be disclosed.
With Judgment of January 21, 2023 (C-154/21) The ECJ recently found that the right to information obliges the person responsible to inform the data subject of the identity of the recipient. Such an obligation only does not exist if it is impossible to identify the recipient or if the person responsible can prove that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Art. 12 (5) GDPR.
The disclosure of the recipients not only serves to check the correctness of the data transmitted, but should above all enable the data subject to assess the legality of the data processing as such and thus to be able to assess whether the data is disclosed to recipients who are authorized to process it be.
This part of the information is necessary in particular so that the person concerned can exercise their other rights under the GDPR.
In order to be able to guarantee their practical effectiveness, the plaintiff must not only have the right to be informed of the identity of the specific recipient if their data have already been disclosed. Rather, efficient legal prosecution, for example – as in the present case – based on an unauthorized disclosure of claims for damages under Art. 82 GDPR, requires being able to gain knowledge of whether a data transfer is actually affected.
Thus, according to Art. 15 Para. 1 GDPR, the plaintiff has the right to information as to whether her personal data has been disclosed through a specifically named data transfer to a recipient (Art. 4 Z 9 GDPR), even if the recipient is not known. This is the only way to enable her to exercise her rights under the GDPR listed above.
In particular, it is not decisive for the exercise of this right to information whether there was a “data breach” for which the defendant is responsible in the sense of a violation of the protection of personal data according to Art. 4 Z 12 DSGVO. According to the findings, the plaintiff’s request for information was neither manifestly unfounded nor excessive within the meaning of Art. 12 (5) GDPR, nor was it impossible for the defendant to answer it.
It is no longer necessary to examine whether Art. 34 GDPR grants the plaintiff subjective rights to information or whether the plaintiff has contractual claims in this regard.
III. Conclusion
The scope of the data information from Art. 15 GDPR also includes the positive or negative confirmation as to whether the person concerned is actually affected by a data breach, i.e. the abusive tapping or the unintentional disclosure of data. Because only if information on this circumstance is covered by the right to information arising from Art. 15 GDPR can the data subject effectively assert any other rights that may exist under the GDPR.
The question remains open as to whether information about the accidental disclosure of personal data in the context of a data leak should be sent proactively in response to an unspecified request for information, or only if, as in the case decided, the person concerned clearly also pointed to a potential data breach and the associated data breach processing.
Under the premise of the effective enforceability of data subject rights, however, it can be assumed that data subjects do not have to specifically relate their requests for information to data breaches and that the person responsible must also provide information on their own initiative.
After all, it is not uncommon for those affected to have no initial knowledge of data leaks, as Art. 34 GDPR only provides for a separate information obligation if this results in a high risk for rights and freedoms.
Tipp: Do you have any questions about the contribution? Feel free to discuss this with us in the
Entrepreneur group of the IT law firm on Facebook.
Author:
Susanna Milrath
Scientific Associate