The European Court of Justice has ruled that the right to information regarding data recipients according to art. 15 (1)(c) GDPR refers to the naming of all individual recipients. From our point of view, this is not surprising.
In its press release No. 4/23, the Court of Justice summarised its decision (Case C-154/21):
“Everyone has the right to know to whom their personal data has been transferred”.
The decision was based on the following case:
A data subject requested Austrian Post to inform him in detail to which recipients the logistics service provider had disclosed his personal data.
He referred to GDPR, which provides the right of a data subject to obtain from data controllers information on the recipients or categories of recipients to whom the personal data have been disclosed.
Answering the citizen’s question, Austrian Post limited itself to informing the citizen that personal data would be used, as far as legally allowed, in the context of its activities as a publisher of telephone directories and would also be offered to business customers for marketing purposes.
The citizen filed a complaint against Austrian Post to obtain more precise information. Austrian Post stated that his data had been passed on to customers including advertising companies in the mail order and stationary trade, IT companies, publishers and donation organisations, non-governmental organisations or, political parties.
The Austrian Supreme Court asked the European Court of Justice the following question on the correct interpretation of the GDPR (shorted):
“Does the GDPR leave it up to the […] controller whether to inform the data subject of the specific identity of the recipients or only the categories of recipients? Or does the data subject […] have the right to know the specific identity of these recipients?”
In its judgment, the ECJ replied as follows (shorted):
“The controller is obliged, where personal data has been disclosed to recipients […] to communicate the identity of the recipients to the data subject upon request.”
Only if it is impossible to identify these recipients, the controller limits himself to merely communicating categories of the recipients. This also applies if the controller proves that a request for precise information is manifestly unfounded or excessive.
The Court points out that this right of access of the data subject is also necessary to enable the exercise of other rights under the GDPR, e.g.
– entitlement right,
– right to erasure (“right to be forgotten”),
– right to restrict processing,
– right to object to the processing, or also to
– right to compensate for damages.
The follow-up question, is whether this requirement also applies to the naming of data recipients in the data privacy policy (pursuant to Article 13 (1)(e) of the GDPR). However, the ECJ did not comment on this.