Data subject access requests (DSARs), are an integral part of the wider data protection framework. They give individuals the right to request a copy of their personal data which is being processed by the controllers of that data. As part of this right of access, data subjects are entitled to information regarding the “recipients or categories of recipient” to whom their personal data has been or will be disclosed. Controllers generally satisfy this requirement by setting out the broad categories of potential recipient in their public privacy notices. However, a recent opinion of an Advocate General of the CJEU has determined that data subjects should, upon request, be provided with the identity of the specific recipients to whom their personal data has been disclosed.
In this case, the controller relied on its generic privacy notice setting out categories of recipient. The data subject in question argued that this did not meet the access requirements of the GDPR because it failed to clarify whether the controller had actually transferred the data subject’s personal data to the third parties and, if it had done so, who the specific recipients of those disclosures were.
The Advocate General determined that when responding to a DSAR, the controller should provide the identity of the specific recipients to whom the data subject’s personal data has been disclosed, if so requested. The Advocate General’s reasoning for this position is that under GDPR the data subject, as opposed to the controller, has the choice of being provided with either the categories of recipients or the specific recipients.
Not providing the list of actual and potential recipients of the user’s data undermines the purpose of disclosing this data in the first place which is to:
- Ensure that the data subject is aware of the processing of their data
- Enable the user to verify the lawfulness of the processing, and
- Enable the user to exercise their other rights under the GDPR
In the view of the Advocate General, there should only be limited exceptions to this requirement, notably:
- Where it is materially impossible to provide information about specific recipients, for example, because they have not yet actually been identified
- Where the controller can demonstrate that the access request is manifestly unfounded or excessive within the meaning of the GDPR
The Advocate General’s opinion is in line with the European Data Protection Board Draft Access Guidelines which should be published in its final version later this year. Among other matters, these guidelines state that the controller should generally name the actual recipients. It notes that naming the recipients may not be possible at the time of providing the information but only at a later stage, for example when a DSAR is made.
The Advocate General’s opinion - if followed by CJEU - reflects the increasingly rigorous requirements for DSARs also being laid down in regulatory guidance, in particular those outlined in the recent EDPB Draft Access Guidelines. DSARs have always been challenging and time intensive for controllers. However, in light of these developments the burden of compliance is going to get significantly greater for all DSARs, particularly those that have more contentious origins where data subjects will invariably scope the request in the broadest manner possible. Accordingly, it will be important for controllers to keep these developments under review.