Search

CJEU on the right of access to data recipients

Venushon Thadchanamoorthy

Venushon Thadchanamoorthy

Guest author from activeMind AG
The Court of Justice of the European Union (CJEU) has further strengthened the right to access under data protection law according to Art. 15 of the GDPR (General Data Protection Regulation) beyond the wording. This means that data controllers must now provide precise information on data recipients as soon as a data subject requests information. However, the Court of Justice also allowed exceptions in which the mere naming of categories of recipients is sufficient (judgment of 12 January 2023, ref.: C-154.21).

Background to the decision

The CJEU ruling concerned an Austrian case. Following a request for access pursuant to Art. 15 of the GDPR, a citizen had tried to obtain information from Österreichische Post AG as to whether personal data concerning him was being or had been stored. In the event that data had been transferred to third parties, the data subject had requested information about the recipients of the data.

Österreichische Post AG only complied with the request for access by informing the data subject that the data would only be processed to the extent permitted by law and referred to a website for further information and additional data processing purposes. The data subject subsequently brought an action before the Austrian courts requesting notification of the recipients of his or her personal data.

The court of first instance and the court of appeal both dismissed the action on the grounds that Art. 15(1)(c) GDPR gives the controller a choice through the wording “recipients or categories of recipients”.

The Austrian Supreme Court (OGH) dealt with how the provision should be interpreted in a subsequent appeal procedure. The OGH pointed out that the purpose of the regulation rather speaks for an interpretation that the data subject has a choice whether to receive information about the categories or the specific recipients.

In addition, the Supreme Court clearly distinguished the right to information under Article 15(1) of the GDPR from the controller’s duty to inform under Articles 13(1)(e) and 14(1)(e) of the GDPR. The right to access is particularly necessary to enable the data subject to exercise his or her rights to rectification, erasure and restriction of processing under Articles 16, 17, 18 and 21 of the GDPR.

The Supreme Court stayed the proceedings and referred the questions on the interpretation of Art. 15(1)(c) GDPR to the CJEU.

Current judgements on the GDPR

Read our regular reviews of data protection law rulings to stay up to date!

The judgment

The CJEU had to decide whether Art. 15(1)(c) of the GDPR should be interpreted to mean,

  • that data controllers are obliged to disclose the specific identities of the recipients of personal data to data subjects upon request or else,
  • that the provision leaves it up to the controller whether to communicate the specific identities of the recipients or only the categories of recipients.

The Advocate General at the CJEU, Giovanni Pitruzella, stated in his opinion of 9 June 2022 that the interpretation in favour of the data subjects is also confirmed by Art. 19 GDPR. The first sentence of this article provides that the controller must notify any recipients of personal data of any rectifications or erasure. The second sentence also provides that the controller must notify any recipients of personal data of any rectification or erasure. Likewise, sentence two provides that the data subjects must be informed of the recipients upon request.

The data subject therefore has the right, within the framework of the controller’s duty to inform, to receive information about the specific recipients in order to be able to exercise the rights under Articles 16, 17 and 18 of the GDPR. In this respect, an interpretation in favour of the data subjects, as set out above, is correct in order to comply with the transparency requirement.

Within its judgment, the CJEU largely followed the recommendations of the Advocate General.

The CJEU also stated that in certain circumstances, data controllers need not provide detailed information on specific recipients. In such cases, the indication of categories of recipients may already be sufficient. Information on categories of recipients instead of concrete details is sufficient if the controller may legitimately refuse to provide the information. In particular, this may be the case when the data subject makes manifestly unfounded or excessive requests. However, it should be noted that the controller must be able to prove that the data subjects request are manifestly unfounded and/or excessive.

Data protection assessment

The ruling is one of a series of rulings by the Court of Justice of the European Union in which data protection provisions are interpreted restrictively in order to ensure the highest possible level of protection for the right to informational self-determination. With this interpretation of the right of access, the CJEU once again recognises that data controllers have an obligation to provide data subjects with comprehensive information about the processing in order to enable them to exercise their rights under the GDPR. In particular, this decision once again shows the importance of the transparency requirement in the context of data protection. The right to access should enable data subjects to actually check the lawfulness of the processing. Consequently, the information on concrete recipients must also be made available for this purpose.

The question of whether this requirement also applies to the unilateral information obligations under Articles 12, 13 and 14 GDPR has not yet been conclusively clarified. Since the same wording can be found in both the information obligation and the right to access, there is at least something to be said in favour of this. However, it also seems reasonable to interpret the right to access as a more intensive right of legal protection that imposes extended obligations on data controllers. In particular, it also comes into play when unilateral information obligations of those responsible have not been fulfilled or have been fulfilled inadequately.

Conclusion

The decision of the CJEU represents a tightening of the requirements under data protection law for companies and is likely to cause a little more work when responding to data subject requests for access. There is now legal clarity that in the case of a request for access, the specific recipients must also be named. In contrast, the categories of recipients in the unilateral information obligations tend to be sufficient.

Responsible parties should now expand their process for processing access requests to include this requirement. If the additional work is already done when the information is prepared in accordance with Articles 12, 13 and 14 GDPR, this can also be used as a basis for an access requests under Art. 15 GDPR. The path towards full transparency for the benefit of the data subjects is necessary.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: