News

EU court: companies must specify to whom they give citizen or customer data

By admin
Spread the love

European citizens have the right to know to which companies their data has been sold. The European Court of Justice says in a ruling that any EU member may request this under the GDPR and that companies must name specific companies.

The European Court of Justice spoke out in a case brought by an Austrian against the Österreichische Post, the national postal company that produces the country’s telephone directory, among other things. To this end, citizens’ data is sold to companies, which purchase it for marketing purposes. In 2019, the man wanted to know which companies the Post had done that to. De Post only responded with a general statement that the data was sent to ‘companies’, but without mentioning those companies by name. The man litigated all the way to the highest European judicial body to find out which specific companies are involved.

The man appeals Article 15 of the GDPR, also known as the right of access. It states that a person has the right to know what their data has been sold for, but like many articles of the GDPR, the precise interpretation of this is unclear and must be defined by practical cases. The European Court was therefore also asked whether, under the right of access, only a category of companies needs to be communicated, or whether a controller must specify which companies are involved.

The Court now concludes the latter. According to the Court of Justice, the information under the right of access must be ‘as accurate as possible’. “In particular, this right of access means that the data subject may obtain from the controller information about the specific recipients to whom the data have been or will be disclosed, or may choose to request information only regarding the categories of recipients” , writes the Court.

In the judgment, the Court also writes that a company or body does not have to provide the information if the request is ‘unfounded or excessive’, for example if it concerns repetitive requests. In that case, a data processor may ask for money or even refuse to comply with the request, but, the judge says: “It is up to the controller to demonstrate the manifestly unfounded or excessive nature of the request.”

You might also like
News

Android 14 beta brings support for a desktop mode

News

Good news for TSMC: its 3nm node will take flight in 2024 thanks to the push of these…

News

The most boring technology of the 21st century: Intel has only grown 5% since 2000

News

Google Password Manager can start sharing passwords with partners or children

News

PlayStation 5 beta update improves audio from DualSense controller

News

Rumor: Android 15 puts apps in ‘edge-to-edge’ mode by default