Austrian Supreme Court asks CJEU whether sharing data with a processor requires a separate Article 6 GDPR legal basis

The Austrian Supreme Court (OGH) has referred two fundamental questions on the GDPR to the Court of Justice of the European Union (CJEU) for a preliminary ruling (OGH 6 Ob 69/25b, 26 May 2026).

The case arose in the context of newsletter processing. However, the first question referred to the CJEU goes far beyond newsletters: it concerns the basic relationship between controllers and processors under the GDPR. If the transfer of personal data from a controller to a processor requires a separate Article 6 legal basis, this may affect a wide range of outsourced processing arrangements, including cloud hosting, CRM systems, payroll providers, IT service providers, email marketing tools and other SaaS solutions.

Background

The dispute arose after the theft of cryptocurrency.

The claimant had purchased a hardware wallet and related software from the defendant. The defendant used a US-based company as a processor for managing and dispatching newsletters to customers' email addresses. That US company had committed itself to the defendant by way of Standard Contractual Clauses for transfers to a third country.

The claimant received an email asking him to confirm his newsletter subscription. At the end of that email, in small print and in English, it stated that the defendant used the US company as its marketing automation platform and that, by confirming the subscription, the claimant acknowledged that the information provided would be transferred to that company for processing in accordance with its privacy policy and terms.

The claimant did not read that small-print notice. He clicked the confirmation link. According to the findings, he was not aware that his email address would be stored and processed on US servers. Had he known that, he would not have consented to the newsletter processing.

In March 2022, accounts of the US processor were attacked by phishing. Among other data, the claimant's email address and IP address were stolen. A few days later, the claimant received a phishing email, was induced to download a supposed update, and entered his recovery seed. His cryptocurrency holdings were then transferred to unknown wallets.

The claimant relies on Article 82 GDPR and argues that the defendant unlawfully transferred his personal data to the US processor without a valid legal basis and without informed consent.

The two questions referred

Question 1: Does a transfer from controller to processor require a separate Article 6 GDPR legal basis?

The first question referred to the CJEU is whether the transmission of personal data from a controller to a processor requires a separate legal basis under Article 6(1) GDPR.

The prevailing view in German-language legal scholarship is that the requirements for engaging a processor are exhaustively governed by Article 28 GDPR and, in the case of third-country transfers, by Articles 44 et seq GDPR. On that view, no separate Article 6 legal basis is required for the transfer to the processor itself.

The main arguments are that the processor is not a "third party" within the meaning of Article 4(10) GDPR, acts under the controller's instructions, and is treated, for data protection purposes, as part of the controller's sphere. The European Data Protection Board's Guidelines 07/2020 also support this approach by stating that the lawfulness of processing by a processor derives from the controller's activity.

A minority view takes the opposite position: the disclosure of personal data to a processor is itself a processing operation and therefore requires justification under Article 6 GDPR.

The OGH considered the question not to be acte clair and noted that, as far as apparent, there is no existing CJEU ruling clarifying the issue.

Question 2: What must the data subject know for newsletter consent to be "informed"?

The second question is conditional. It arises only if the CJEU answers Question 1 in the negative.

The OGH asks whether consent to receiving a newsletter is "informed" within the meaning of Article 4(11) GDPR only if the data subject knows, before giving consent, that the controller intends to use a processor located in a third country for that specific processing operation.

This question shifts the focus from the lawfulness of the transfer itself to the transparency requirements for consent.

The EDPB Guidelines 05/2020 on consent do not expressly require that processors be named as a condition for valid consent. They do, however, refer to minimum information on possible risks of data transfers without an adequacy decision and without appropriate safeguards under Article 46 GDPR. They also leave room for the possibility that, depending on the circumstances and context, more information may be required for the data subject to genuinely understand the processing operation.

In the underlying case, the information about the US processor appeared only in small print at the bottom of the confirmation email, in English, without a separate consent mechanism. The claimant did not read it.

Why this matters

The practical implications may be significant.

Controller-to-processor relationships are a basic feature of modern data processing. Organisations routinely use external providers for cloud hosting, IT support, payroll, accounting, CRM systems, document management, email marketing, analytics, payment services, HR tools and other SaaS solutions.

If the CJEU answers Question 1 affirmatively, every transfer of personal data from a controller to a processor would require its own Article 6 legal basis. That would have substantial consequences for existing data processing arrangements. Organisations would need to reassess whether an independent lawfulness ground covers the transfer to the processor itself, not merely the underlying processing purpose.

If Question 1 is answered negatively, but Question 2 affirmatively, the focus shifts to transparency and consent design. Consent-based newsletter subscriptions involving third-country processors may then be valid only if subscribers are clearly informed, before consenting, that such a processor will be used.

A small-print reference to a processor's privacy policy, especially in a language the subscriber may not use as their primary language, may not be sufficient.

The OGH has suspended the proceedings pending the CJEU's ruling.

Source

OGH 6 Ob 69/25b, 26 May 2026

More on data protection

For a recent related development on the controller/processor boundary under Austrian and EU law, see our post on the VwGH ruling on parent company liability under Article 26 GDPR.

About Sabadello Legal

Sabadello Legal advises companies across all industries on data protection matters: from ongoing GDPR compliance and the drafting of data processing agreements and joint controller arrangements to representation before the Austrian Data Protection Authority and the administrative courts.

A particular focus lies on supporting non-EEA companies with GDPR compliance for their data flows into the EEA, as well as on data protection issues within corporate group structures. We also advise on data protection issues arising in the employment context.

Contact

RA Mag. Andreas Sabadello
Sabadello Legal
https://sabadello.legal
Tel: +43 1 99 71 037
office@sabadello.legal

Disclaimer

This article is for general information purposes only and does not constitute legal advice. For advice on your specific situation, please contact us directly.