EU top court rules that controllers must disclose actual identity of data recipients in response to data subject access request
Browse this blog post
Related news and insights
Blog Post: 26 October 2023
Blog Post: 25 May 2023
Publications: 25 May 2023
The CJEU ruled that if personal data is (or will be) disclosed to recipients, controllers must disclose the actual identity of recipients, where requested by the data subject, unless the recipients are impossible to identify or the controller can prove that the request is manifestly unfounded or excessive.
RW, an Austrian individual, requested access to his personal data from Österreichische Post AG (OP), a postal service provider. He also asked OP to identify the recipients of his data. OP responded that it shared RW’s data with trading partners for marketing purposes, but did not disclose specific recipients. RW sued OP, seeking information on the specific recipients of his data. During the court proceedings, OP informed RW that it had transferred his data to various third parties, such as advertisers, IT companies, mailing list providers and different associations (eg NGOs, political parties or charitable organisations).
The lower courts in Austria rejected RW's claim. They argued that under Art. 15(1)(c) GDPR the controller could choose only to inform the data subject of the categories of recipient, without naming the actual recipients of the data. RW appealed to the Austrian Supreme Court, the Oberste Gerichtshof, which referred the case to the CJEU for clarification. The Austrian Supreme Court disagreed with the lower courts. It said that the data subject should have the option to ask for information on either the categories or the specific recipients of his data. The Supreme Court noted that if Art. 15(1)(c) GDPR gave the controller a choice, no controller would provide information about the specific recipients of the data.
The CJEU decision
The CJEU interpreted Art. 15(1)(c) GDPR in light of the broader context and objectives of the GDPR and ruled that controllers must disclose the exact identity of recipients to a data subject on request. If it is not possible to identify the recipients, the disclosure of categories of recipients is sufficient. In reaching this conclusion, the CJEU emphasised the following points:
- recital 63 GDPR expressly grants the data subject the right to know and obtain communication about the recipients of the personal data, without limiting that right to categories of recipient;
- the right of access requires that all personal data processing complies with the data processing principles under Art. 5 GDPR, including the principle of transparency;
the CJEU distinguished the “genuine” right of data subjects to request information on recipients under Art. 15(1)(c) from the transparency requirements under Art. 13 and 14 GDPR;
- the right of access enables the data subject to verify the accuracy and lawfulness of the personal data concerning them, including whether they are disclosed to authorised recipients. This right is also necessary for the exercise of other data subject rights under the GDPR, such as the rights to rectification, erasure or restriction of processing, as well as the rights to seek judicial remedy and compensation for damages. The CJEU concluded that the data subject must have the right to be informed of the identity of the specific recipients to whom the personal data have already been disclosed;
- the CJEU further pointed out that the right to the protection of personal data is not absolute and must be balanced with other fundamental rights in society, following the principle of proportionality. In some situations, it may not be possible to give information about specific recipients. In such cases, the right of access may be restricted to information about the categories of recipient, for example when the actual recipients are not yet known.
- in addition, Article 12(5)(b) GDPR allows the controller to reject requests from a data subject that are manifestly unfounded or excessive (in which case, the controller should disclose the categories of recipients). The controller must demonstrate that the requests are unreasonable or excessive.