The right of access under Article 15 GDPR is one of the central data subject rights under data protection law. In practice, however, this raises some difficult questions of detail: Who is the data controller when a natural person acts within an organization? Must it also be disclosed from whom information received orally originated? And can incomplete information already give rise to claims for damages? The Austrian Supreme Court (OGH) has had to address these questions in the context of a school setting and has referred several questions of interpretation under EU law to the European Court of Justice (ECJ).
In connection with a school-based professional development program and the involvement of an external facilitator, the plaintiff was considered as a potential candidate. The defendant, the school principal, was involved in the organizational process and, during internal email communication, expressed concerns regarding the plaintiff's suitability, recommending that another person be considered. This communication also included evaluative statements about the plaintiff, which, according to the plaintiff, were at least partially based on information from conversations with third parties.
The plaintiff subsequently requested information from the defendant, the school principal, pursuant to Article 15 of the GDPR, as well as the transmission of a copy of his personal data. He also claimed non-material damages in the amount of EUR 800.00, based on an alleged violation of his right to information. The defendant denied, in principle, that any processing of his data was relevant under data protection law and argued that he had acted within the scope of his function as an officer of the school. The court of first instance dismissed the action, and the court of appeal upheld this decision.
The Supreme Court (OGH) ultimately had to decide whether the defendant school principal could be classified as a "controller" within the meaning of Article 4(7) GDPR in the specific context, or whether only the underlying legal entity could be considered the controller. In particular, the tension arose between the direct attribution of responsibility under the GDPR and the national regulations of the Official Liability Act (AHG).
According to the lower courts, holding the officer personally liable would be incompatible with the Austrian Liability Act (AHG). However, the Supreme Court (OGH) saw questions requiring clarification under EU law in this regard, particularly concerning the scope of the EU concept of liability for officers acting within public bodies.
Furthermore, the Supreme Court addressed the scope of the right of access under Article 15 GDPR with regard to the "origin of the data." It remains unclear, in particular, whether this obligation to provide information relates only to the direct source of the information or whether indirect sources of information or communication partners within email or voting processes must also be disclosed.
Due to these questions of interpretation under EU law, the Austrian Supreme Court (OGH) suspended the proceedings and referred several questions to the European Court of Justice (ECJ) for a preliminary ruling. No final decision on the merits was reached.
The decision demonstrates that even key terms of the GDPR, particularly "controller" and the scope of the right of access, continue to harbor considerable uncertainties in interpretation. The Austrian Supreme Court (OGH) is exercising restraint in accordance with EU law and is leaving the clarification to the European Court of Justice (ECJ). For practitioners, this means a period of heightened legal uncertainty, but also opens up strategic opportunities in data protection disputes.
Supreme Court 18.02.2025, 6 Ob 102/24d