CJEU clarifies: Every person has the right to know to whom his or her personal data has been disclosed
The right of access, which is one of the main individual rights enshrined under the General Data Protection Regulation (“GDPR”), entitles data subjects to receive both a copy of their personal data and other supplementary information.
Article 15(1) of the GDPR provides what information needs to be disclosed, and includes inter alia the purposes for processing the data subject’s personal data, the categories of personal data involved, the envisaged retention period and the data recipients.
By its recent ruling in Österreichische Post (Case C-154/21), the Court of Justice of the European Union (“CJEU”) has now provided valuable clarification on the extent of a controller’s disclosure requirements. In this case, the question arose whether the GDPR grants data subjects the right to know the actual identity of the recipients of their personal data, or whether it is up to the controller to choose between either disclosing the actual identities, or, disclosing only the (general) categories of recipients.
Through its decision, the CJEU has affirmed that article 15(1)(c), GDPR does in principle include an obligation for controllers to disclose the recipients’ actual identity. Providing only the categories of recipients may however be permitted in cases where it is either impossible for the controller to identify their actual identity or if the controller can prove that the request is manifestly unfounded or excessive.
In the underlying case, an Austrian citizen requested the Österreichische Post, which is the principal operator of postal and logistical services in Austria, to provide him with the identities of the recipients to whom Österreichische Post has disclosed (or will disclose) his personal data. In its response, Österreichische Post merely identified the categories of recipients, stating inter alia that it in the course of its activities it shares the personal data with its trading partners for marketing purposes.
The citizen instituted judicial proceedings before the Austrian courts, seeking an order to require Österreichische Post to disclose their specific identities, and not merely the categories of recipients. During the proceedings, Österreichische Post further informed the plaintiff that his personal data had been transferred to various third parties, including advertisers, stationary outlets, IT companies, mailing list providers and other associations such as NGOs, political parties and charities. The Austrian Supreme Court (the Oberster Gerichtshof) sought clarification as to whether article 15(1)(c), GDPR grants data subjects a right to know the specific identities of these data recipients, or whether the controller has the choice to disclose either the categories of recipients only, or their specific identity. Consequently, the Austrian Supreme Court referred the matter to the CJEU for a preliminary ruling.
The CJEU’s Ruling
The CJEU confirmed that a data subject’s right of access in terms of article 15 (1)(c), GDPR does entail an obligation on the part of the controller to name the actual identity of the recipients to whom his or her personal data has been disclosed. This conclusion was perhaps inevitable, particularly because – as noted by the Austrian Supreme Court – if article 15(1)(c) were to be interpreted as giving the controller a choice, it’s likely that few (if any) controllers would actually opt to disclose the specific recipients.
In its reasoning, the CJEU held that the interpretation of article 15(1)(c) is not entirely clear from its wording and should therefore be understood in light of the wider context and objectives of the GDPR. In that regard, the CJEU made reference to and emphasised a number of salient points, including that:
- recital 63 to the GDPR grants data subjects the right to know and obtain confirmation from the controller on “recipients of [his/her] personal data”, without expressly narrowing this right to only categories of recipients;
- for the right of access to be respected, all processing of personal data must comply with the principles set out in article 5, GDPR. Those principles include ensuring transparency vis-à-vis the data subject, which means providing the data subject, in an easily accessible and easy to understand manner, with information about how his or her personal data is being processed;
- the right of access is necessary to enable the data subject to verify whether the processing of his/her personal data is lawful and to exercise the other rights given to them under the GDPR, such as the right to be forgotten, the right to rectification and the right of action where damage is suffered. Without the actual identity of the recipients of his/her data, the data subject could potentially be prevented from effectively exercising those rights.
Notwithstanding this, a data subject’s right of access is not absolute or unconditional, and the CJEU further acknowledged that there may be certain situations where it might not be possible or reasonable for a controller to be expected to give information about the specific recipients.
To that end, the CJEU specified that a controller may be entitled not to name the specific recipients, and instead provide only the categories of recipients, in the following situations:
- where it is impossible for the controller to identify the specific recipients, including where the recipients are not yet known; or
- where the controller can demonstrate that the request is manifestly unfounded or excessive.
The CJEU’s ruling clarifies a previously ambiguous provision in the GDPR and provides further support for its objective of ensuring a high-level of data protection. That said, this ruling will also have important implications for organisations, which will have to ensure that updated records are kept on the identity of the specific recipients for each data transfer. By failing to do so, a controller – if faced with such a request – could find itself having to, within a tight timeframe, try to identify all of the possible recipients, with the risk of providing incomplete or inaccurate information to the data subject.
This stands in contrast to the transparency rights found in articles 13 and 14 of the GDPR, which currently allow controllers to choose between either naming the actual recipients or indicating the categories of recipients in their privacy notices. Nonetheless, this ruling would also appear to establish that data subjects can follow up on a privacy notice which only indicates the categories of (potential) recipients of their personal data and request to be provided with further details, including the recipients’ actual identities.