Österreichische Post AG – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Austria's Supreme Court ruled that Österreichische Post AG did not have to disclose the specific recipients of personal data when responding to a user's access request. The court found that the company could share only broad categories of recipients, which means they complied with the law. This decision highlights the limits of what companies must reveal about data sharing.
What happened
Österreichische Post AG was asked to provide specific details about who received a user's personal data but only disclosed broad categories.
Who was affected
The person who requested access to their personal data from Österreichische Post AG.
What the authority found
The court decided that the company was not required to disclose the identities of specific recipients, only their categories, under Article 15 of GDPR.
Why this matters
This ruling shows that companies can limit the information they provide about data sharing, which may affect how users understand their rights. Website operators should be aware of how they handle access requests and what information they choose to disclose.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller was a logistics and postal service provider also active in the fields of direct marketing and address publication. The data subject requested the controller to provide access to personal data concerning them pursuant to Article 15 GDPR. Deeming the controller’s reply insufficient, the data subject went to court to enforce their right to access. The data subject asked a full disclosure of which data were effectively shared and with whom, as the controller’s reply did not comply with the principles of accuracy and comprehensibility under Article 12(1) GDPR. During the civil proceeding it became clear that the controller processed and shared with third-parties data concerning the data subject’s marketing profile and potential political affinities with third-parties. However, the controller did not disclose the identity of specific recipients in the access request, but only their broad categories (e.g. advertising companies, IT-companies, NGOs). The controller denied that statistical data about data subjects’ political and philosophical affinities (the so-called marketing profiles) were personal data covered by the GDPR. The controller also replied that it could not disclose recipients’ identity because of several reasons, such as business confidentiality and a disproportionate effort on its side, as it did not keep a record of all the disclosure operations. Also, the controller argued that there is no obligation to disclose the identity of specific recipients under the GDPR, but only the categories of recipients. The first instance court upheld the controller’s defense. The court of appeal confirmed this judgement, stating that the GDPR gives the controller a free choice whether to share specific recipients or broad categories of recipients. As the controller disclosed such categories during the first instance proceeding, Article 15 GDPR was not violated. The Austrian Supreme Court sent a preliminary reference to the CJEU, which decided the case with j
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (4)
Other cases involving Österreichische Post AG in AT
Court Ruling
Details
About this data
Cite as: Cookie Fines. Österreichische Post AG - Austria (2023). Retrieved from cookiefines.eu
Last updated: