CURIA Documents c 154/21, english

Provisional text

JUDGMENT OF THE COURT (First Chamber)

12 January 2023 (*)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 15(1)(c) – Data subject’s right of access to his or her data – Information about the recipients or categories of recipient to whom the personal data have been or will be disclosed – Restrictions)

In Case C‑154/21,

REQUEST for a preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Supreme Court, Austria), made by decision of 18 February 2021, received at the Court on 9 March 2021, in the proceedings

RW

v

Österreichische Post AG,

THE COURT (First Chamber),

composed of A. Arabadjiev, President of the Chamber, L. Bay Larsen, Vice-President of the Court, acting as Judge of the First Chamber, P.G. Xuereb, A. Kumin and I. Ziemele (Rapporteur), Judges,

Advocate General: G. Pitruzzella,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–        RW, by R. Haupt, Rechtsanwalt,

–        Österreichische Post AG, by R. Marko, Rechtsanwalt,

–        the Austrian Government, by G. Kunnert, A. Posch and J. Schmoll, acting as Agents,

–        the Czech Government, by M. Smolek and J. Vláčil, acting as Agents,

–        the Italian Government, by G. Palmieri, acting as Agent, and by M. Russo, avvocato dello Stato,

–        the Latvian Government, by J. Davidoviča, I. Hūna and K. Pommere, acting as Agents,

–        the Romanian Government, by L.-E. Baţagoi, E. Gane and A. Wellman, acting as Agents,

–        the Swedish Government, by H. Eklinder, J. Lundberg, C. Meyer-Seitz, A.M. Runeskjöld, M. Salborn Hodgson, R. Shahsavan Eriksson, H. Shev and O. Simonsson, acting as Agents,

–        the European Commission, by F. Erlbacher and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 9 June 2022,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 15(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

2        The request has been made in proceedings between RW and Österreichische Post AG (‘Österreichische Post’) concerning a request for access to personal data pursuant to Article 15(1)(c) of the GDPR.

 Legal context

3        Recitals 4, 9, 10, 39, 63 and 74 of the GDPR are worded as follows:

‘(4)      … The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. …

…

(9)      The objectives and principles of Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)] remain sound, but it has not prevented fragmentation in the implementation of data protection across the [European] Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. …

…

(39)      Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. …

…

(63)      A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. … Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. … That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. …

…

(74)      The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.’

4        Article 1 of the GDPR, headed ‘Subject matter and objectives’, provides in paragraph 2:

‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’

5        Article 5 of the GDPR, headed ‘Principles relating to processing of personal data’, provides:

‘1.      Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

…

2.      The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

6        Article 12 of the GDPR, headed ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, states:

‘1.      The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

2.      The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

…

5.      Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a)      charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b)      refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

…’

7        Article 13 of the GDPR, headed ‘Information to be provided where personal data are collected from the data subject’, provides in paragraph 1:

‘Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

…

(e)      the recipients or categories of recipients of the personal data, if any;

…’

8        Article 14 of the GDPR, headed ‘Information to be provided where personal data have not been obtained from the data subject’, provides in paragraph 1:

‘Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

…

(e)      the recipients or categories of recipients of the personal data, if any;

…’

9        As set out in Article 15 of the GDPR, headed ‘Right of access by the data subject’:

‘1.      The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a)      the purposes of the processing;

(b)      the categories of personal data concerned;

(c)      the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d)      where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e)      the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f)      the right to lodge a complaint with a supervisory authority;

(g)      where the personal data are not collected from the data subject, any available information as to their source;

(h)      the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2.      Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3.      The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4.      The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’

10      Article 16 of the GDPR, headed ‘Right to rectification’, provides:

‘The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.’

11      As set out in Article 17 of the GDPR, headed ‘Right to erasure (“right to be forgotten”)’:

‘1.      The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a)      the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)      the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c)      the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d)      the personal data have been unlawfully processed;

(e)      the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f)      the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2.      Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

…’

12      Article 18 of the GDPR, headed ‘Right to restriction of processing’, provides in paragraph 1:

‘The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a)      the Accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the Accuracy of the personal data;

(b)      the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c)      the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d)      the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

…’

13      Article 19 of the GDPR is worded as follows:

‘The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.’

14      Under Article 21 of the GDPR, headed ‘Right to object’:

‘1.      The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2.      Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3.      Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4.      At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5.      In the context of the use of information society services, and notwithstanding Directive 2002/58/EC [of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37)], the data subject may exercise his or her right to object by automated means using technical specifications.

6.      Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.’

15      Article 79 of the GDPR, headed ‘Right to an effective judicial remedy against a controller or processor’, states in paragraph 1:

‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’

16      Article 82 of the GDPR, headed ‘Right to compensation and liability’, provides in paragraph 1:

‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’

 The dispute in the main proceedings and the question referred for a preliminary ruling

17      On 15 January 2019, RW asked Österreichische Post for access under Article 15 of the GDPR to the personal data concerning him which were being stored or had previously been stored by Österreichische Post and, if the data had been disclosed to third parties, for information as to the identity of the recipients.

18      In response to that request, Österreichische Post merely stated that it uses data, to the extent permissible by law, in the course of its activities as a publisher of telephone directories and that it offers those personal data to trading partners for marketing purposes. It also referred to a website that set out more information and further data processing purposes. It did not disclose to RW the identity of the specific recipients of the data.

19      RW brought proceedings against Österreichische Post before the Austrian courts, seeking an order that Österreichische Post provide him with, inter alia, the identity of the recipient(s) of the personal data disclosed.

20      During the judicial proceedings thus initiated, Österreichische Post informed RW that his personal data had been processed for marketing purposes and forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, non-governmental organisations (NGOs) or political parties.

21      The courts at first instance and on appeal dismissed RW’s action on the ground that Article 15(1)(c) of the GDPR, by referring to ‘recipients or categories of recipient’, gives the controller the option of informing the data subject only of the categories of recipient, without having to identify by name the specific recipients to whom personal data are transferred.

22      RW brought an appeal on a point of law (Revision) before the Oberster Gerichtshof (Supreme Court, Austria), the referring court.

23      That court is uncertain as to the interpretation of Article 15(1)(c) of the GDPR, in so far as it is not clear from the wording of that provision whether it grants the data subject the right of access to information relating to the specific recipients of the disclosed data, or whether the controller has discretion as to how it proposes to respond to a request for access to information about the recipients.

24      The referring court nevertheless observes that the underlying objective of that provision supports the interpretation that it is the data subject who has the option of requesting information about the categories of recipient or requesting information about the specific recipients of his or her personal data. In the referring court’s view, any contrary interpretation would seriously undermine the effectiveness of the legal remedies available to the data subject for the protection of his or her data. If controllers had the option of informing data subjects of the specific recipients or only of the categories of recipient, the fear would be that, in practice, almost no controller would provide information about specific recipients.

25      In addition, unlike Article 13(1)(e) and Article 14(1)(e) of the GDPR, which lay down an obligation on the part of the controller to provide the information set out in those articles, Article 15(1) of that regulation focuses on the scope of the data subject’s right of access, a fact which, according to the referring court, also tends to indicate that the data subject has the right to choose between requesting information about the specific recipients or about categories of recipient.

26      Lastly, the referring court adds that the right of access provided for in Article 15(1) of the GDPR covers not only personal data currently being processed but also all data processed previously. In that regard, it states that the considerations set out in the judgment of 7 May 2009, Rijkeboer (C‑553/07, EU:C:2009:293), based on the purpose of the right of access provided for by Directive 95/46, may be transferred to the right of access under Article 15 of the GDPR, especially since it can be deduced from recitals 9 and 10 of the GDPR that the EU legislature did not intend to reduce the level of protection as compared to that directive.

27      In those circumstances, the Oberster Gerichtshof (Supreme Court) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:

‘Is Article 15(1)(c) of [the GDPR] to be interpreted as meaning that the right of access is limited to information concerning categories of recipient where specific recipients have not yet been determined in the case of planned disclosures, but that right must necessarily also cover recipients of those disclosures in cases where data [have] already been disclosed?’

 Consideration of the question referred

28      By its question, the referring court asks, in essence, whether Article 15(1)(c) of the GDPR must be interpreted as meaning that the data subject’s right of access to personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the specific identity of those recipients.

29      As a preliminary point, it should be borne in min d that, in accordance with settled case-law, the interpretation of a provision of EU law requires that account be taken not only of its wording, but also of its context and the objectives and purpose pursued by the act of which it forms part (judgment of 15 March 2022, Autorité des marchés financiers, C‑302/20, EU:C:2022:190, paragraph 63). Furthermore, where a provision of EU law is open to several interpretations, preference must be given to that interpretation which ensures that the provision retains its effectiveness (judgment of 7 March 2018, Cristal Union, C‑31/17, EU:C:2018:168, paragraph 41 and the case-law cited).

30      As regards, first of all, the wording of Article 15(1)(c) of the GDPR, that provision states that the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information about the recipients or categories of recipient to whom the personal data have been or will be disclosed.

31      It should be noted that the terms ‘recipients’ and ‘categories of recipient’ in that provision are used in succession, without it being possible to infer an order of priority between them.

32      It is thus clear that the wording of Article 15(1)(c) of the GDPR does not make it possible to determine unequivocally whether the data subject would have the right to be informed, when personal data concerning him or her have been or will be disclosed, of the specific identity of the recipients of the data.

33      Next, as regards the context of Article 15(1)(c) of the GDPR, it should be pointed out, in the first place, that recital 63 of that regulation states that the data subject is to have the right to know and obtain communication in particular with regard to the recipients of the personal data and does not state that that right may be restricted solely to categories of recipient, as the Advocate General observed in point 23 of his Opinion.

34      In the second place, it should also be borne in min d that, in order to respect the right of access, all processing of personal data of natural persons must comply with the principles set out in Article 5 of the GDPR (see, to that effect, judgment of 16 January 2019, Deutsche Post, C‑496/17, EU:C:2019:26, paragraph 57).

35      Those principles include the principle of transparency set out in Article 5(1)(a) of the GDPR, which, as is clear from recital 39 of that regulation, requires that the data subject have information about how his or her personal data are processed and that that information be easily accessible and easy to understand.

36      In the third place, it should be noted, as the Advocate General stated in point 21 of his Opinion, that, unlike Articles 13 and 14 of the GDPR, which lay down an obligation on the part of the controller to provide the data subject with information relating to the categories of recipient or the specific recipients of the personal data concerning him or her where personal data are collected from the data subject and where personal data have not been obtained from the data subject, Article 15 of the GDPR lays down a genuine right of access for the data subject, with the result that the data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient.

37      In the fourth place, the Court has previously held that the exercise of that right of access must enable the data subject to verify not only that the data concerning him or her are correct, but also that they are processed in a lawful manner (see, by analogy, judgments of 17 July 2014, YS and Others, C‑141/12 and C‑372/12, EU:C:2014:2081, paragraph 44, and of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 57), and in particular that they have been disclosed to authorised recipients (see, by analogy, judgment of 7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 49).

38      In particular, that right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16, 17 and 18 of the GDPR (see, by analogy, judgments of 17 July 2014, YS and Others, C‑141/12 and C‑372/12, EU:C:2014:2081, paragraph 44, and of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 57), and the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, and right of action where he or she suffers damage, laid down in Articles 79 and 82 of the GDPR (see, by analogy, judgment of 7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 52).

39      Thus, in order to ensure the effectiveness of all of the rights referred to in the preceding paragraph of the present judgment, the data subject must have, in particular, the right to be informed of the identity of the specific recipients where his or her personal data have already been disclosed.

40      Such an interpretation is confirmed, in the fifth and last place, by a reading of Article 19 of the GDPR, which provides, in its first sentence, that the controller is, in principle, to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed and, in its second sentence, that the controller is to inform the data subject about those recipients if the data subject requests it.

41      Thus, the second sentence of Article 19 of the GDPR expressly confers on the data subject the right to be informed of the specific recipients of the data concerning him or her by the controller, in the context of the controller’s obligation to inform all the recipients of the exercise of the data subject’s rights under Article 16, Article 17(1) and Article 18 of the GDPR.

42      It follows from the above contextual analysis that Article 15(1)(c) of the GDPR is one of the provisions intended to ensure transparency vis-à-vis the data subject of the manner in which personal data are processed and enables that person, as the Advocate General observed in point 33 of his Opinion, to exercise the rights laid down, inter alia, in Articles 16 to 19, 21, 79 and 82 of the GDPR.

43      Accordingly, the information provided to the data subject pursuant to the right of access provided for in Article 15(1)(c) of the GDPR must be as precise as possible. In particular, that right of access entails the ability of the data subject to obtain from the controller information about the specific recipients to whom the data have been or will be disclosed or, alternatively, to elect merely to request information concerning the categories of recipient.

44      Lastly, as regards the purpose of the GDPR, it should be pointed out that its purpose is, inter alia, as is apparent from recital 10 of that regulation, to ensure a high level of protection of natural persons within the European Union (judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 207). In that regard, as the Advocate General observed, in essence, in point 14 of his Opinion, the general legal framework created by the GDPR implements the requirements arising from the fundamental right, protected by Article 8 of the Charter of Fundamental Rights of the European Union, to the protection of personal data, in particular the requirements expressly laid down in Article 8(2) thereof (see, to that effect, judgment of 9 March 2017, Manni, C‑398/15, EU:C:2017:197, paragraph 40).

45      That objective supports the interpretation of Article 15(1) of the GDPR set out in paragraph 43 above.

46      Therefore, it also follows from the objective pursued by the GDPR that the data subject has the right to obtain from the controller information about the specific recipients to whom the personal data concerning him or her have been or will be disclosed.

47      That said, it must, lastly, be emphasised that, as is apparent from recital 4 of the GDPR, the right to the protection of personal data is not an absolute right. That right must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality, as the Court reaffirmed, in essence, in paragraph 172 of the judgment of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559).

48      Accordingly, it may be accepted that, in specific circumstances, it is not possible to provide information about specific recipients. Therefore, the right of access may be restricted to information about categories of recipient if it is impossible to disclose the identity of specific recipients, in particular where they are not yet known.

49      In addition, it should be borne in min d that, under Article 12(5)(b) of the GDPR, the controller may, pursuant to the principle of responsibility referred to in Article 5(2) and recital 74 of that regulation, refuse to act on requests from a data subject where those requests are manifestly unfounded or excessive, it being specified that it is for the controller to demonstrate that those requests are unfounded or excessive.

50      In the present case, it is apparent from the request for a preliminary ruling that Österreichische Post refused the request made by RW under Article 15(1) of the GDPR to be informed of the identity of the recipients to whom Österreichische Post had disclosed the personal data concerning him. It will be for the referring court to determine whether, in the light of the circumstances of the main proceedings, Österreichische Post has demonstrated that that request is manifestly unfounded or excessive.

51      In the light of all the foregoing considerations, the answer to the question referred for a preliminary ruling is that Article 15(1)(c) of the GDPR must be interpreted as meaning that the data subject’s right of access to personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.

 Costs

52      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

Article 15(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the data subject’s right of access to the personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of Regulation 2016/679, in which cases the controller may indicate to the data subject only the categories of recipient in question.

[Signatures]

*      Language of the case: German.