Organisations must provide individuals with information on the specific recipients of their data upon request.
The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.
Information on Specific Recipients of Personal Data
The case dealt with information that organisations must provide when responding to data subject access requests (DSARs) under Article 15 GDPR. Specifically, the CJEU examined the individual’s right of access to information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed […]” under Article 15(1)(c) GDPR. The CJEU broadly followed the Opinion and held that Article 15 GDPR requires controllers to provide data subjects with information on the specific, identified recipients of their personal data.
Although Article 15(1)(c) GDPR allows for disclosure of “the recipients or categories of recipient”, the CJEU found that Recital 63 expressly provides that individuals should have “the right to know…the recipients of the personal data”which would require information about specific recipients. The CJEU also found that this information was necessary to properly give effect to the objectives and purpose of the right of access under the GDPR, and so that the individual could exercise other data protection rights, such as rights around notification of rectification, erasure, or restriction to recipients at Article 19 GDPR.
The CJEU does not, therefore, consider it sufficient for controllers to provide data subjects with information on only the categories of recipients of their personal data, other than in two specific circumstances:
- Impossibility: if it is impossible to identify those recipients (in particular, where they are not yet known); or
- Manifestly Excessive/Unfounded: if the controller can evidence that the data subject’s request is manifestly unfounded or excessive (within the meaning of Article 12(5) GDPR).
In such circumstances, the CJEU states that the controller may provide the data subject with information on only the categories of recipients.
It is noteworthy that the CJEU distinguishes the Article 15 GDPR right of access from the transparency obligations at Articles 13 and 14 GDPR. Under the transparency obligations, the controller is required to provide the data subject with information about “the recipients or categories of recipients of personal data, if any” and the CJEU notes that it is for the controller to choose which to provide. By contrast, the CJEU opines that under Article 15 GDPR it is for the individual, as the holder of the right to access, to decide how to exercise their right and so they can elect between obtaining access to information about specific recipients, or simply categories of recipients, as part of their DSAR.
Depending on how national regulators and courts interpret and apply the CJEU’s decision, organisations may need to identify specific recipients of personal data as a matter of course when responding to DSARs.
In order to prepare for this potential shift in expectations, organisations should review and uplift (as necessary) their personal data mapping to ensure they can effectively identify and map specific recipients of personal data disclosures — per data subject or group of data subjects sharing the same recipient list – and that these records are appropriately retained to fully capture historic data sharing that may still be in the scope of a DSAR. Interestingly, the referring question to the CJEU was in the context of disclosures to third parties, and there may be arguments that the reasoning of the court does not apply to internal recipients within the same controller, but it may be helpful to document these in any event.
For many organisations, this enhanced data mapping will likely be a time-consuming and costly exercise. However, applying additional resources in advance to ensure robust visibility of personal data disclosures will not only help organisations comply with their other GDPR obligations (including in relation to Article 19 GDPR requests) but also help mitigate the risks of failing to comply with the GDPR when responding to DSARs (particularly when the strict deadlines for response do not allow for extensive data mapping at the time of response). Such risks include administrative procedures by regulators as well as complaints and civil claims from individuals, including those initiated by specialised data protection or consumer groups. In parallel, organisations should develop their defence strategies against such risks of regulatory enforcement or claims.
While CJEU judgments do not apply in the UK post-Brexit, the text of Article 15 GDPR is almost identical under the UK GDPR. The UK regulator may therefore provide further clarification in later guidance.