knowledge 20 April 2023 |

CJEU rules on the right to know the identity of recipients of personal data

Background

The issue on how to interpret Article 15(1)(c) arose in the context of a dispute between an individual and Österreichische Post, the Austrian Postal Service (RW v Österreichische Post AG, Case C‑154/21). The claimant had requested the Austrian Postal Service to provide him with his personal data and, if the data had been disclosed to third parties, for information concerning the identity of recipients of his personal data. The Postal Service referred him to its website and informed him that, as a publisher of telephone directories, it offers personal data to trading partners for marketing purposes. The claimant then sought an order from Austrian courts that would require the company to disclose the specific identity of the recipient(s) of his personal data, relying on Article 15(1)(c) of the GDPR. He argued that the information provided by the Postal Service did not clarify whether the company had, in fact, transferred his personal data to third parties.

During the proceedings, the Postal Service revealed that it had forwarded his data to advertisers, IT companies, mailing list providers, charities, non-governmental organisations and political parties for marketing purposes. The Austrian court of first instance and appellate court ruled that this list was sufficient under Article 15(1)(c). On further appeal, however, the Supreme Court of Austria was unsure as to whether the data controller had any discretion in the form of response to be given to access requests for information about the recipients of personal data. The Supreme Court speculated that if the data controller was given a choice between giving categories or specifics, they were likely to choose categories (being the less burdensome of the two options). However, it presumed that this approach would run contrary to the underlying objective of Article 15(1)(c), insofar as a data subject (and not the data controller) should instead be able to choose whether to be informed of categories of recipient or the specific recipients of their personal data. Thus, it referred the issue to the CJEU for consideration.

Decision

The CJEU noted that the wording of Article 15(1)(c) does not allow for an inference to be made as to the order of priority between providing specific identities or the categories of recipients. However, Recital 63 of the GDPR (which concerns the right of access) refers to a right to know the recipients of personal data and does not refer to “categories of recipient”.

The court then acknowledged that the right of access is necessary to enable the data subject to exercise the other rights available under the GDPR, such as the right of rectification, right to be forgotten, the right to restriction of processing and the right of action where damage is suffered. The CJEU recognised that the access right is also closely linked to the principles of Article 5, which requires personal data to be “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Accordingly, the information provided in response to a data subject access request “must be as precise as possible”.

The court ultimately found that Article 15(1)(c) must be interpreted as meaning that a data controller must provide the actual identity of the recipients, “unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive”. If the data controller can demonstrate that it is impossible to identify the recipients (for example, if the recipients are not yet known) or that the data subject’s request is manifestly unfounded or excessive, the CJEU found that the controller is then entitled to indicate to the data subject only the categories of the recipients.

Comment

This clarification from the CJEU follows the same interpretation of Article 15(1)(c) as was expressed by the Advocate General’s opinion in this case and the guidelines issued by the European Data Protection Board in January 2022 on the right of access¹, which had stated that a data controller “should therefore generally name the actual recipients unless it would only be possible to indicate the category of recipients”.

It is now clear that data controllers must ensure that their responses to access requests reflect this interpretation, and that sufficient records are retained that will enable them to provide data subjects with the specific identities of recipients where an individual requests this.  The common practice of simply attaching a copy of, or referring to, the controller’s data protection notice (which will typically contain details of potential categories of recipients only) will not suffice.