Who Has My Data? EU Court Rules GDPR Requires Disclosure of Data Recipient Identities, Not Just Categories, in Response to Data Subject Access Requests
Under the European Union’s General Data Protection Regulation (GDPR), individual data subjects have the right to request that the data controller share information regarding the data subject’s personal information. This includes the right to know the “recipients or categories of recipients” to whom the data subject’s personal data has been disclosed. To date, data controllers have defaulted to disclosing the categories of recipients only, rather than the specific recipients by name. But that’s about to change.
On January 12, 2023, the Court of Justice of the European Union (CJEU) ruled that data controllers must specifically identify the recipients, rather than solely the categories of recipients, in response to a data subject access request. Although the ruling specifically addressed data subject access requests pursuant to Article 15 (data subject access rights) of GDPR, the decision also has significant implications for required disclosures at the point of collection under Article 13.
This case began when an Austrian individual, RW, submitted a data subject access request to Österreichische Post AG (OP), an Austrian postal service provider, seeking the identity of any recipients of his data. Per Article 15 of GDPR, data subjects may request “the recipients or categories of recipient to whom the personal data have been or will be disclosed.” In its response to RW, OP stated that it shares RW’s personal information with trading partners for marketing purposes but refused to identify the specific recipients. RW filed suit, seeking the identity of the recipients, but the case was initially dismissed on the basis that GDPR “gives the controller the option of informing the data subject only of the categories of recipient, without having to identify by name the specific recipients to whom personal data are transferred.” RW appealed the decision to the Austrian Supreme Court (Oberster Gerichtshof), which referred the question to the CJEU for a preliminary ruling.
CJEU Adopts Expansive Interpretation of GDPR
In a decision with widespread ramifications, the CJEU ruled that controllers must reveal the specific identities of data recipients to the data subject in response to a data subject access request. Revealing the categories of recipients alone is only sufficient if revealing the specific identity of recipients is impossible. In support of its decision, the CJEU emphasized that, in light of the GDPR’s overall goals, the right of access requires transparency in all personal data processing. The CJEU noted that access to the identity of recipients is necessary in order for the data subject to exercise data subject rights under GDPR (such as the rights to rectification, erasure, and restriction of processing).
This ruling has significant implications when it comes to both data subject access requests and point-of-collection disclosures:
Data subject access requests – At a minimum, the CJEU decision now requires controllers to disclose the specific identities of data recipients in response to data subject access requests. If a controller determines that it is impossible to share specific identities (specifically because it does not yet know the identities of all recipients), the controller should clearly document the reasoning by which it made the impossibility determination – and it had better actually be impossible. In the context of GDPR’s Article 14.5(b) (providing disclosures where data was collected from a third party), the European Data Protection Board (EDPB) stated that “something is either impossible or it is not; there are no degrees of impossibility.” And it is likely the EDPB will adopt a similar attitude with regard to data subject access requests.
Disclosures at point of collection – In addition to disclosing specific recipient identities in response to data subject access requests, controllers should consider revisiting point-of-collection disclosures to EU data subjects in general. Like GDPR’s Article 15 (data subject access rights), Article 13 (point-of-collection disclosures) has language requiring the disclosure of “the recipients orcategories of recipients of the personal data, if any.” While the CJEU has yet to extend its reasoning to point of collection disclosures, if controllers already know the identities of data recipients, they should consider disclosing those identities at the point of collection as well.
As a reminder, data subject access requests are subject to the threshold inquiry of whether the request is manifestly unfounded or excessive, so the transparency required under the GDPR is not without its limits. Also, controllers are not required to disclose the identity of specific recipients if it would be impossible — specifically, in the CJEU’s view, if the identity is not yet known. An impossibility determination should be used sparingly (and documented thoroughly, if used) in light of the EDPB’s findings on impossibility. At the end of the day, companies would be well-suited to err on the side of honoring reasonable data subject access requests where possible, as the costs for defending litigation and/or a regulatory investigation would dwarf the administrative costs of responding to these requests.