On 12 January 2023, the European Court of Justice (“CJEU”) delivered its judgment regarding the right of access to personal data under Article 15 GDPR. The CJEU held that when exercising their right of access under the GDPR, data subjects must be provided with the individual data recipients of their personal data.
Under Article 15 GDPR, data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where this is the case, “information relating to the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations” (Article 15(1)(c) GDPR).
The referral to the CJEU arose from a data subject access request (“DSAR”) under Article 15 GDPR. The data subject requested information regarding the identity of third parties to whom the controller had disclosed his personal data. In response to the request, the controller provided the data subject with the categories of recipients and also referred to a website that set out more information and further data processing purposes.
The data subject issued proceedings in the Austrian courts against the controller, arguing that the controller had failed to comply with the requirements of Article 15 GDPR, as it had not provided sufficient information relating to the disclosure of personal data to third parties and the specific recipients of the personal data.
The first instance court and court of appeal found in favour of the controller, holding that the wording of Article 15(1)(c) GDPR allowed only categories of recipients to be disclosed. The data subject appealed to the Supreme Court of Austria, which referred the question to the CJEU.
The CJEU held that the right of access under Article 15 GDPR contains an obligation on the controller to provide the data subject with the actual identity of recipients of their personal data.
In particular, the CJEU held:
- The information provided to the data subject pursuant to a DSAR under Article 15(1)(c) GDPR must be as precise as possible. In particular, whether the individual recipients are disclosed or only the categories of recipients are disclosed is, in principle, a choice of the data subject. The CJEU held that Article 15(1)(c) GDPR allows the data subject to obtain information from the controller about the specific recipients to whom the data have been or will be disclosed or, alternatively, “to elect merely to request” information concerning the categories of recipient.
- Data subjects must, in particular, have the “right to be informed of the identity of the specific recipients where his or her personal data have already been disclosed.”
- The CJEU highlighted that there are two ‘exceptions’ to the general rule that the data subject has a right to know the identity of the specific recipients:
- When “impossible” to provide information about specific recipients: “the right of access may be restricted to information about categories of recipient if it is impossible to disclose the identity of specific recipients, in particular where they are not yet known.” This carve out is interesting as it is not explicitly included within the GDPR.
- When the controller can demonstrate that a request is manifestly unfounded or excessive (within the meaning of Article 12(5) of the GDPR). The CJEU did not further clarify these concepts.
As individuals become more aware of their rights under data protection law, DSARs are an increasingly frequent concern for organisations both large and small. Individuals and claimant firms are increasingly using DSARs as a means of seeking to obtain information and documentation in support of litigation. The CJEU decision has wide implications for data controllers and is likely to present significant challenges when answering DSARs, especially where the controller does not have comprehensive lists of recipients for each processing activity.
Of particular note, the findings of the CJEU do not seem to automatically extend to information to be included in privacy notices under Articles 13 and 14. In its reasoning, the CJEU held that Articles 13 and 14 of the GDPR lay down an obligation on the controller to provide the data subject with information relating to the categories of recipient or the specific recipients of the personal data. However, Article 15 GDPR “lays down a genuine right of access for the data subject, with the result that the data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient.”
If you have any questions about the content of this post, please contact your usual DLA Piper lawyer.