European Top Court Confirms Companies Need to Name “Recipients” of Personal Data When Responding to Access Requests, Not Just Categories

On January 12, 2023, the Court of Justice of the European Union (“CJEU”) ruled in case C-154/21 | Österreichische Post AG that controllers must provide the specific identity of any “recipient” of personal data in response to a GDPR access request. While the GDPR itself states that controllers may inform individuals of the “recipients or categories of recipients,” the CJEU held that disclosing “categories of recipients” is sufficient only where it is not possible to provide a specific identity or where another exception applies.

The term “recipient” refers to any person or entity to which personal data is disclosed – including all service providers and processors – not just third-party controllers. This means that controllers should maintain comprehensive current and historical lists of all other parties to which they disclose personal data. Controllers that receive high volumes of access requests may prefer to provide this information publicly, such as within a public-facing privacy policy, to reduce the burden of complying with individual access requests.

Background

In 2019, an Austrian citizen requested that Österreichische Post AG (responsible for the Austrian postal service) disclose to him the identities of recipients of his personal data, as part of an access request under the GDPR, which gives individuals the right to obtain information from a controller about the recipients, or categories of recipients, to which a controller has disclosed or will disclose their personal data.

Österreichische Post AG chose to provide the individual with a description of the categories of recipients, rather than the specific identities of recipients, informing him that it uses personal data in the course of its activities as a telephone directory publisher, and that it offers personal data to trading partners for the purposes of marketing. Unsatisfied by the response, the individual brought proceedings against Österreichische Post AG before the Austrian Courts, seeking an order that Österreichische Post AG provide him with the specific identities of the recipients.

Austrian courts initially decided categories were acceptable

During the course of the judicial proceedings, Österreichische Post AG provided the individual with additional information about the categories of recipients. For example, Österreichische Post AG identified the recipients as stationary outlets, IT companies, and mailing list providers, but it did not name each recipient. Both at trial and on initial appeal, the Austrian courts sided with Österreichische Post AG on the grounds that the GDPR gave controllers the option of whether to disclose  “recipients or categories of recipient”, without having to identify the specific recipients to whom personal data are transferred by name.

On appeal to the Austrian Supreme Court, the Supreme Court observed that the wording of the GDPR is unclear as to whether data subjects are granted the right of access to specific information about recipients, or if controllers have discretion as to how to respond to requests for access to information about recipients. The Supreme Court stayed proceedings and asked the CJEU to confirm that the GDPR requires controllers to provide data subjects with the identity of recipients, in response to a data subject access request.

CJEU ruling requires controllers to name recipients, but also recognizes that there may be exceptions

The CJEU, in its ruling, acknowledged that the text of the GDPR does not clearly resolve the question. However, by considering the broader principles of transparency under the GDPR, the CJEU reasoned that the provision must be interpreted to mean that a data subject’s right of access includes a right to receive the actual identity of recipients to which their personal data has been, or will be, disclosed. Neither the text of the GDPR nor the CJEU decision distinguishes between recipients that are controllers as opposed to processors. This means that the right of access could potentially encompass a right for data subjects to know all service providers with access to personal data that a controller uses, much like the lists of subprocessors that processors disclose within their data processing agreements. However, the CJEU decision points to several important limitations that suggest that the right to know identities is not absolute.

  • First, the CJEU listed a few exceptions. For example, if it would prove impossible (such as where they are not yet known) or where the request is manifestly unfounded or excessive. Controllers should also consider whether disclosing the identities of recipients could compromise the security of personal data or impair the rights of others.
  • Second, the CJEU explained that the right of access enables data subjects to exercise further rights (e.g. right to erasure, objection, restriction, etc) and the right of action where a data subject has suffered damage. While this may be true for disclosures to other controllers, it is less clear that providing the identities of processors furthers these aims since processors are not required to provide privacy notices or respond to individual requests under the GDPR.

What does this mean for companies?

Data subjects will now, as part of a data subject access request, have the option of requesting specific information on the recipients of their data.

Controllers that receive, or expect to receive, GDPR access requests should:

  1. Maintain comprehensive records of recipients to which they provide personal data, and develop processes for keeping these records up to date.
  2. Require service providers to delete or return all personal data upon termination of the services, to avoid needing to disclose the identities of legacy service providers that continue to hold personal data.
  3. Consider posting some or all recipient information publicly, to reduce the burden of complying with individual requests.