On January 12, 2023, the Court of Justice of the European Union (CJEU) ruled¹ that the data subject’s right of access to personal data² requires controllers to provide the data subject with the identity of the companies that they have shared or will share data with. This is a sharp departure from current market practice since many controllers typically provide the categories of data recipients, and not their actual identity, when responding to data subjects access requests.

Although the CJEU provides for some exceptions to this requirement, this development sets further transparency obligations on companies.

Background

An individual made a General Data Protection Regulation (GDPR) access request to the Austrian postal services (Österreichische Post, or ÖP). In response, ÖP informed the individual that his personal data had been disclosed to customers, mailing list providers, and associations such as charitable organizations, nongovernmental organizations, and political parties. ÖP did not otherwise provide further details regarding the actual identity of each data recipient. The individual subsequently brought proceedings against ÖP before the Austrian courts seeking an order that ÖP must provide the individual with the actual identity of the recipients of his personal data.

The Austrian courts at first instance and on appeal dismissed the individual’s claim on the ground that the wording of Article 15 (1) (c) GDPR (“the recipients or categories of recipient”) gives the controller discretion of informing the data subject about categories of recipients only. As such, the controller does not need to identify by name any specific recipients to whom the personal data have been or will be disclosed.

However, the Austrian Supreme Court sought clarification and made a request for a preliminary ruling to the CJEU as to whether the wording of Article 15(1)(c) GDPR is meant to provide the option to the controller to decide the level of detail that it will provide to the data subject (categories of recipients or actual identity of recipients).

CJEU Ruling

The CJEU held that data subjects have the right to obtain information about the specific recipients to whom their personal data is disclosed. This right cannot, in principle, be restricted to merely categories of recipients at the data controller’s discretion. According to the CJEU, this interpretation ensures transparency towards data subjects and enables them to effectively exercise their rights under the GDPR, such as the right to restriction of processing or the right to object to processing. It also enables individuals to confirm that their data is processed in a lawful manner and that it has been disclosed to authorized recipients. The CJEU further notes that the provided information to the data subject must be “as precise as possible.”³

However, the CJEU’s ruling provides that the right of access may be restricted to “categories of recipients” in certain circumstances:

• Impossible to disclose specific recipient(s): The CJEU refers to the principle of proportionality and states that the information can be limited to categories of recipients if it is “impossible to disclose the identity of specific recipients.”⁴ The CJEU does not further expand on the notion of “impossibility.”
• Access request is unfounded or excessive: The CJEU makes reference to Art 12 (5) (b) GDPR, according to which controllers may refuse to act on an access request where it is “manifestly unfounded or excessive.” However, it is the controller’s responsibility to demonstrate that a request is unfounded or excessive.

Implications and Conclusion

The CJEU’s ruling increases transparency obligations for companies and requires them to engage in a fact-finding mission to inform data subjects as precisely as possible about the specific data recipients. Overall, companies may need to perform a balancing test in light of the principle of proportionality in each access request to determine whether information about specific data recipients must, and can, be provided to data subjects.

Michael Kern contributed to the preparation of this Alert.

^[1]CJEU judgment in case C-154/21, RW v Österreichische Post, January 12, 2023.

^[2]Within the meaning of Article 15 GDPR.

^[3]CJEU judgment in case C-154/21, RW v Österreichische Post, January 12, 2023, par. 43.

^[4]CJEU judgment in case C-154/21, RW v Österreichische Post, January 12, 2023, par. 48.