In its decision of 12 January 2023 (C-154/21) the European Court of Justice stated its position on the extent to which companies must disclose the identity of recipients of personal data when the right of access pursuant to Article 15(1), letter (c) GDPR is exercised. For many companies, this may mean they need to modify how they respond to requests for access.
Background
A customer of Österreichische Post, the Austrian postal service, requested information on how his personal data had been processed, in particular the identity of any recipients of that data. Österreichische Post replied that it uses personal data in the course of its activities as a publisher of telephone directories and that it offers those data to trading partners for marketing purposes. This use is within the bounds of what is legally permissible, it told the customer. In its response to the request, Österreichische Post did not state the names of these trading partners.
The customer then brought proceedings, invoking Article 15(1), letter (c) GDPR. In his view, this provision gave him a right of access to information on the specific recipients. Both the court of the first instance and the appellate court dismissed the claim; the claimant then appealed on points of law.
Austria’s Supreme Court of Justice referred the matter to the ECJ, asking whether the right of access pursuant to Article 15(1), letter (c) GDPR is limited to information on recipient categories where specific recipients have not yet been defined in the case of planned disclosures, but includes information on specific recipients where personal data has already been disclosed to them.
ECJ’s decision
The ECJ ruled that pursuant to Article 15(1), letter (c) GDPR, companies generally have an obligation to state recipients’ identity when providing information to those seeking it. This applies both to recipients to which the company has already disclosed the relevant personal data as well as to future recipients of the data. In this regard, the company has no leeway.
The only cases in which the recipients must not be named are where
- it is impossible to identify the recipients, or
- naming them would be manifestly unjustified, disproportionate or excessive, within the meaning of Article 12(5) GDPR. The company must prove this, the ECJ stated.
In such cases, it is sufficient to state recipient categories only.
Interpreting Article 15(1), letter (c) GDPR differently would fail to satisfy the aim and purpose of the right of access, the ECJ held. This right forms the basis of further data subject rights including the rights to rectification and erasure as well as the right to object to processing. In the ECJ’s view, the recitals, the principle of transparency, and Article 19 GDPR support this interpretation, which helps data subjects realise their right to data protection (effet utile).
Our assessment
- Although Article 15(1), letter (c) GDPR is broadly worded (“recipients or categories of recipients”), companies must generally provide information on specific recipients should data subjects seek this in their requests. If companies fail to do so, they may have infringed data protection law and face an administrative fine (Article 83(5) GDPR). The data subject who filed the request might also assert a claim for damages (Article 82 GDPR).
- The right of access is not unlimited, however. It must be weighed up against other legal concerns enjoying protection, and these concerns may restrict it. The ECJ makes explicit mention of exceptions where it is impossible to meet the request for access or the request is manifestly unfounded or excessive.
- In addition to the exceptions the ECJ explicitly cites, other rights may limit the right of access. Depending on the individual case, company and third party interests in confidentiality may impose such limits (cf. Article 15(4) GDPR). The right of access may also be limited by EU or national law (in Germany’s case, sections 27(2), 28(2), 29(1), 34(1) Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) – for example, to protect whistleblowers.
- The ECJ decision makes no mention of whether specific recipients must be identified by name in information provided pursuant to Articles 13 and 14 GDPR, i.e. data protection statements or privacy notices. Although these provisions’ wording resembles that of Article 15 GDPR, a duty to provide information and a right of access differ in key points. The recitals relating to information do not explicitly refer to “recipients” (cf. recitals 39, 63 GDPR); moreover, Articles 13 and 14 GDPR do not confer subjective rights. Last but not least, it is doubtful what purpose the right of access serves if privacy notices have to contain all the information that needs to be provided anyway. It remains to be seen whether the ECJ will nevertheless apply its ruling to Articles 13 and 14 GDPR.
In practice
To be able to identify specific data recipients and not mere categories when requests are made, companies should ensure they have all relevant information available before they receive requests for access – or at least that they can obtain it before the standard one-month deadline for providing information expires (Article 12(3) GDPR). This makes it necessary to collect recipients systematically (known as data mapping) and update information regularly.
Records of processing activities can be used to organise this, as recipients outside of the EU have to be recorded here anyway (Article 30(1), letter (d) GDPR).
To pre-empt any requests for access, companies can also list relevant recipients in their privacy notices, weighing this course of action up against interests that may conflict with it. For some recipients, this is already the case in employee privacy notices (e.g. affiliates and payroll providers). Here too, some companies will be able to build on existing processes.
If a company has standard processes for responding to requests for access (especially in e-commerce), these processes may need to be modified to ensure that the information provided complies with both the request and the law.
Forward