CJEU puts its foot down on the Right of access – Controllers must name specific recipients

In its judgment of 12 January 2023 (Case C-154/21), the European Court of Justice (“CJEU”) decided that controllers are generally obliged to provide the data subject with the identity of the specific recipients to whom they have disclosed or will disclose personal data relating to the data subject upon the data subject's access request. Only in exceptional cases it is sufficient to indicate only the categories of recipient.

Background

The judgment is based on a proceeding involving the Österreichische Post where a data subject requested information about the specific recipients of their personal data.

According to Art. 15 para. 1 s. 1 GDPR, data subjects have the right to obtain information about the processing of personal data concerning them. Pursuant to Art. 15 para. 1 lit. c GDPR this also includes the right of access to information about the recipients or categories of recipient to whom the personal data have been or will be disclosed.

In response to the underlying data subject’s access request, the Österreichische Post did not provide information about the specific recipients of the personal data of the data subject but only provided information about categories of recipient. The Oberster Gerichtshof (Supreme Court, Austria), hearing the dispute as last instance, submitted relevant questions to the CJEU by way of a preliminary ruling procedure. The key question was whether the controller could choose independently to disclose either the specific identity of the recipients or only the categories of recipient. So, once again, the CJEU had to deal with Art. 15 GDPR.

Decision

The CJEU decided that controllers generally must provide the data subject with the identity of the specific recipients of their personal data. In general, the right of access may not be restricted to information about the categories of recipient.

First of all, the CJEU pointed out that the wording of Art. 15 para. 1 lit. c GDPR does not make it possible to determine unequivocally whether or not the data subject would have the right to obtain information about the specific recipients of their personal data. However, Recital 63 GDPR states that the data subject is to have the right to know and obtain communication in particular with regard to the recipients of the personal data. In addition, Recital 63 does not state that that right may be restricted solely to categories of recipient (cf. para. 33). In addition, the data subject must be informed about the underlying data processing in an easily accessible and understandable way (cf. para. 35).

With regard to the transparency requirements under data protection law (for instance, privacy policies on websites), it is usually sufficient to inform the data subject only about the categories of recipients. In further justifying its judgment, the CJEU compared the provisions on the scope of the right of access (Art. 15 GDPR) and the corresponding provisions on the scope of the transparency requirements (Art. 13 and 14 GDPR) in a systematic manner. The right of access - unlike to the aforementioned transparency requirements - lays down a genuine right of access for the data subject (cf. para. 36). From this difference, The CJEU derives that the data subject must therefore have the option to choose whether to request access to information about specific recipients, if possible, or to be satisfied with information about the categories of recipient (cf. para. 36).

The CJEU explains its decision with the fact that the purpose of the right of access is to ensure the “effectiveness” of the data subject’s rights (such as the right to erasure pursuant to Art. 17 GDPR) but also the preservation of effective judicial legal protection. Therefore, “the data subject must have, in particular, the right to be informed of the identity of the specific recipients where his or her personal data have already been disclosed” (para. 39).

Restrictions of the Right of access

Nevertheless, the CJEU emphasizes that the right of access does not require access to information about the specific recipients in all cases. In certain circumstances, it may be impossible to disclose the identity of specific recipients (especially where they are not yet known). According to the CJEU, it is still sufficient to disclose only information about categories of recipient in such cases (cf. paras. 47 et seq.).

As the CJEU points out, controllers may continue to refuse to act on data subject access requests where those requests are manifestly unfounded or excessive. However, the controller must demonstrate that those requests are unfounded or excessive (cf. para. 49).

Impacts on Controllers

Once again, CJEU case law has a serious impact on everyday corporate practice with respect to GDPR compliance. It is no longer possible for companies to provide the data subjects only with information about the categories of recipient and to keep their efforts correspondingly low.

Irrespective of the question of whether the disclosure of personal data is permissible, which always needs to be examined, companies are now urgently advised to always adequately document the corresponding disclosure of personal data. Data protection compliance should be organized in a way that makes it possible to trace easily the disclosure of personal data in order to be able to name all the specific recipients. Any negligence can otherwise lead to considerable expense and, above all, to legal consequences. This is because, the disclosure of incomplete information can also be considered a breach of data protection law that may result in sanctions by supervisory authorities and claims for damages under civil law by data subjects.

The CJEU’s judgment on the scope of a copy of personal data under Art. 15 para. 3 s. 1 GDPR is still pending (Case C-487/21). The Advocate General published his conclusions in December 2022 (cf. our Update). The impending judgment could increase the effort when remedying data subject access requests.