Court case W292 2235791-1 – Court Ruling (Austria, 2025)

The data subject lodged a complaint with the Austrian Data Protection Authority (DSB), alleging a violation of its right of access under Article 15 GDPR. Specifically, the data subject requested information from the controller about the recipients and categories of recipients to whom its personal data had been disclosed. In response, the controller provided a general list of all potential recipients but did not specify individual recipients. The DSB held that the controller had violated Article 15 by providing incomplete information. The controller appealed this decision to the Federal Administrative Court. The Court upheld the controller’s appeal. Referring to CJEU case law, the Court confirmed that data subjects have a right to be informed of specific recipients under Article 15(1)(c) GDPR, unless identification is impossible or the request is manifestly unfounded, in which case only categories of recipients must be provided. Applying this standard, the Court found that the controller had fulfilled its obligation by naming all potential processors, explaining the purposes of data transfers, and identifying processors who had not received the data. Since the specific recipients could not be identified due to a lack of documentation, documentation that is not legally required, the Court concluded that the information provided was sufficient and complete.