Stricter Requirements: A new ruling from the CJEU clarifies that controllers are required to disclose - upon requests made by data subjects - the specific identities of third parties who process their data.
The CJEU’s decision
The Court of Justice of the European Union’s decision recently considered the wording of Article 15 GDPR regarding subject access requests (DSAR).
The court found that merely supplying individuals with general categories of recipients and referring them to a website with more information was insufficient to comply with Article 15 requirements.
The information a controller must supply should be as precise as possible. The only instances when a controller is not under this strict obligation are:
- Where it is “impossible” to disclose the information (for example when the recipient is not yet known)
- Where the request is excessive or unfounded (the controller must prove that it is excessive)
Although this is an EU decision, the trend towards broadening individuals’ rights regarding data information requests could soon make its way to the UK.
The full judgment can be found here.