Following a recent opinion given by the AG of the CJEU, there is a risk if followed by the CJEU that a data subject, upon request, should be provided with the specific identity of the recipients of that person’s personal data rather than a broad category of recipients.
An individual (data subject) brought a claim against the Austrian Post (the controller) after requesting a list of all the recipients to whom its personal data had been disclosed. The controller relied on its general privacy notice which set out the broad categories of recipients such as business customers, IT companies and charities including NGO’s. The controller did not reveal the specific identities of those recipients. After an unsuccessful first instance ruling the data subject referred the question to the CJEU arguing that the controller did not meet the access requirements of Article 15 GDPR as the controller had not clarified whether its data had actually been processed and if it had, further failed to confirm who the specific recipients of the personal data were. The CJEU were then tasked with interpreting the exact scope of a data subject’s right to obtain information regarding the recipients of their personal data under Article 15(1)(c) GDPR.
Following an analysis of the relevant articles and recitals of the GDPR, the Advocate General concluded that the GDPR requires a controller to identify the specific recipients of a data subject’s personal data following an access request.
The AG stated that the purpose of disclosing either the categories of recipient or the specific recipient is to ensure that the data subject is aware of the processing of their data, can verify the lawfulness of the processing, and enable the user to exercise their other rights under the GDPR. Consequently, by not providing a specific list of actual or potential recipients upon request by the data subject would undermine this purpose.
The AG did caveat this with limited exceptions to this requirement, in particular where it is materially impossible to provide such specific information, for example the specific recipients have not yet been identified. Additionally, where a controller can demonstrate the access request by the data subject was manifestly unfounded or excessive, refusal may be granted. It is to be noted that the controller bears the burden of proof in demonstrating the manifestly unfounded or excessive character of the data subject’s request. This opinion is in line with the European Data Protection Board Draft Access Guidelines which are due to be published by the end of the year.
The opinion given by the AG does not have to be followed by the CJEU, but if it is then companies and organisations who receive an access request from a data subject will be required to provide the specific identities of those who received their personal data. This is likely to effect businesses by requiring significant additional resources as effectively identifying and mapping the specific recipient of the requesting data subject is no easy feat.