March 27, 2023

Volume XIII, Number 86


March 24, 2023

Subscribe to Latest Legal News and Analysis

Who Has My Data? EU Court Rules GDPR Requires Disclosure of Data Recipient Identities, Not Just Categories, in Response to Data Subject Access Requests

Under the European Union’s General Data Protection Regulation (GDPR), individual data subjects have the right to request that the data controller share information regarding the data subject’s personal information. This includes the right to know the “recipients or categories of recipients” to whom the data subject’s personal data has been disclosed. To date, data controllers have defaulted to disclosing the categories of recipients only, rather than the specific recipients by name. But that’s about to change.

On January 12, 2023, the Court of Justice of the European Union (CJEU) ruled that data controllers must specifically identify the recipients, rather than solely the categories of recipients, in response to a data subject access request. Although the ruling specifically addressed data subject access requests pursuant to Article 15 (data subject access rights) of GDPR, the decision also has significant implications for required disclosures at the point of collection under Article 13.  


This case began when an Austrian individual, RW, submitted a data subject access request to Österreichische Post AG (OP), an Austrian postal service provider, seeking the identity of any recipients of his data. Per Article 15 of GDPR, data subjects may request “the recipients or categories of recipient to whom the personal data have been or will be disclosed.” In its response to RW, OP stated that it shares RW’s personal information with trading partners for marketing purposes but refused to identify the specific recipients. RW filed suit, seeking the identity of the recipients, but the case was initially dismissed on the basis that GDPR “gives the controller the option of informing the data subject only of the categories of recipient, without having to identify by name the specific recipients to whom personal data are transferred.” RW appealed the decision to the Austrian Supreme Court (Oberster Gerichtshof), which referred the question to the CJEU for a preliminary ruling.

CJEU Adopts Expansive Interpretation of GDPR

In a decision with widespread ramifications, the CJEU ruled that controllers must reveal the specific identities of data recipients to the data subject in response to a data subject access request. Revealing the categories of recipients alone is only sufficient if revealing the specific identity of recipients is impossible. In support of its decision, the CJEU emphasized that, in light of the GDPR’s overall goals, the right of access requires transparency in all personal data processing. The CJEU noted that access to the identity of recipients is necessary in order for the data subject to exercise data subject rights under GDPR (such as the rights to rectification, erasure, and restriction of processing).


This ruling has significant implications when it comes to both data subject access requests and point-of-collection disclosures:

  • Data subject access requests – At a minimum, the CJEU decision now requires controllers to disclose the specific identities of data recipients in response to data subject access requests. If a controller determines that it is impossible to share specific identities (specifically because it does not yet know the identities of all recipients), the controller should clearly document the reasoning by which it made the impossibility determination – and it had better actually be impossible. In the context of GDPR’s Article 14.5(b) (providing disclosures where data was collected from a third party), the European Data Protection Board (EDPB) stated that “something is either impossible or it is not; there are no degrees of impossibility.” And it is likely the EDPB will adopt a similar attitude with regard to data subject access requests.

  • Disclosures at point of collection – In addition to disclosing specific recipient identities in response to data subject access requests, controllers should consider revisiting point-of-collection disclosures to EU data subjects in general. Like GDPR’s Article 15 (data subject access rights), Article 13 (point-of-collection disclosures) has language requiring the disclosure of “the recipients orcategories of recipients of the personal data, if any.” While the CJEU has yet to extend its reasoning to point of collection disclosures, if controllers already know the identities of data recipients, they should consider disclosing those identities at the point of collection as well.  

As a reminder, data subject access requests are subject to the threshold inquiry of whether the request is manifestly unfounded or excessive, so the transparency required under the GDPR is not without its limits. Also, controllers are not required to disclose the identity of specific recipients if it would be impossible — specifically, in the CJEU’s view, if the identity is not yet known. An impossibility determination should be used sparingly (and documented thoroughly, if used) in light of the EDPB’s findings on impossibility. At the end of the day, companies would be well-suited to err on the side of honoring reasonable data subject access requests where possible, as the costs for defending litigation and/or a regulatory investigation would dwarf the administrative costs of responding to these requests.

© 2023 Bradley Arant Boult Cummings LLPNational Law Review, Volume XIII, Number 37

About this Author

Benjamin William Perry Litigation Attorney Bradley Arant Boult Cummings

Ben Perry’s practice spans the spectrum of legal services. On the litigation side, Ben represents clients at the trial and appellate level against a wide variety of claims in state and federal courts. His practice primarily concentrates on complex civil litigation, products liability defense, and representing financial institutions and mortgage companies in civil litigation. As part of the Banking and Financial Services Practice Group, he defends mortgage servicers, investors, and related entities against numerous state and federal law claims arising out of lending and...

Rachel M. LaBruyere Litigation Attorney Bradley Arant Boult Cummings Charlotte

Rachel LaBruyere joined the firm in Fall 2019 as an associate in the Litigation Practice Group.

While in law school, Rachel gained a breadth of litigation experience working for the ACLU of North Carolina, the U.S. Attorney for the Eastern District of North Carolina, and the Equal Employment Opportunity Commission’s trial and appellate practices.

Rachel received her J.D. from the University of North Carolina School of Law, where she was inducted into the James E. and Carolyn B. Davis Society, recognizing third-year law...