Where a controller has disclosed or will disclose a data subject’s personal data to a recipient, the GDPR 1) imposes obligations on controller to inform about the recipient, and, 2) gives the data subject (correlative) rights to information about the recipient.
In this context, several questions arise such as:
1) What does it mean to disclose personal data?
2) What does it mean to receive personal data?
3) What does “recipient” mean?
4) Who can be regarded as recipients of personal data?
5) What are the controller obligations to inform about recipients?
6) What are the data subject rights to information about recipients?
On question 1) and 2) I give no comments.
On question 3) I briefly here mention that Article 4.9 defines “recipient” as “(…) a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not”.
On question 4) I briefly here mention that Article 4.9 and Preamble 31 of the GDPR exempt public authorities from being regarded as recipients if they “(…) receive personal data in the framework of a particular inquiry in accordance with Union or Member State law (…)”.
On question 5) and 6) I will go through the ECJ’s assessment in Österreichische Post AG, Case C‑154/21, as to whether Article 15(1)(c) of the GDPR must be interpreted as meaning that the data subject’s right of access to personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the specific identity of those recipients.
This blog post will be followed by another post where I will give an overview of controller obligations to inform about recipients and data subject rights to information about recipients.
In Österreichische Post AG, Case C‑154/21, the plaintiff had, pursuant to Article 15(1)(c) of the GDPR, requested access to personal data concerning him which were being stored or had previously been stored by Österreichische Post, and, if the data had been disclosed to third parties, for information as to the identity of the recipients. Österreichische Post had processed the plaintiff’s personal data for marketing purposes and forwarded them to several recipients. However, in its response, Österreichische Post did not disclose to the plaintiff the identity of the specific recipients of the data. The plaintiff sought before the Austrian courts that Österreichische Post provide him with the identity of the recipient(s) of the personal data disclosed.
2 ECJ on rules of interpretation
In accordance with settled case-law, the interpretation of a provision of EU law, including Article 15(1)(c) of the GDPR, requires that account be taken of its wording, its context and the objectives and purpose pursued by the act of which it forms part, and, where a provision of EU law is open to several interpretations, preference must be given to that interpretation which ensures that the provision retains its effectiveness. Below, I will succinctly go through the ECJ’s account of wording, context, objectives and purpose.
3 ECJ on the wording of Article 15(1)(c) of the GDPR
Since the terms “recipients” and “categories of recipient” are used in succession and do not indicate an order of priority between them, the wording of Article 15(1)(c) of the GDPR does not make it possible to determine whether the data subject would have the right to be informed of the specific identity of the recipients of the data.
4 ECJ on 5 points of context of Article 15(1)(c) of the GDPR
Recital 63 GDPR states that the data subject is to have the right to know and obtain communication in particular with regard to the recipients of the personal data and does not state that that right may be restricted solely to categories of recipients.
Article 15(1)(c) of the GDPR is one of the provisions intended to ensure transparency as set out in Article 5(1)(a) of the GDPR vis-à-vis the data subject of the manner in which personal data are processed.
4.3 A genuine right of access
Article 15 of the GDPR lays down a genuine right of access for the data subject, with the result that the data subject must have the option of obtaining either information about the specific recipients to whom the data have been or will be disclosed, where possible, or information about the categories of recipient.
4.4 Verification, enabling rights and effectiveness of rights
The exercise of the right of access must enable the data subject to verify that the data concerning the data subject:
- are correct.
- are processed in a lawful manner.
- have been disclosed to authorized recipients.
4.4.2 Enabling rights
Article 15(1)(c) of the GDPR enables the data subject to exercise the rights laid down in Articles 16 to 19, 21, 79 and 82 of the GDPR.
4.4.3 Effectiveness of rights
In order to ensure the effectiveness of all of the rights referred above, the data subject must have the right to be informed of the identity of the specific recipients where his or her personal data have already been disclosed.
4.5 Right to be informed of the specific data recipients when controller informs data recipients of the exercise of the data subject’s rights
GDPR Article 19, second sentence obliges controllers to inform data subjects of all recipients upon request, which in turn gives data subjects the right to know recipients in the context of the controller’s obligation to inform all the recipients of the exercise of the data subject’s rights under Article 16, Article 17(1) and Article 18 of the GDPR.
4.6 Precise information
The right of access provided for in Article 15(1)(c) of the GDPR must be as precise as possible, and this entails that data subjects can request specific recipient information or categories of recipient.
5 ECJ on the objectives and purpose of Article 15(1)(c) of the GDPR
The GDPR aims to protect EU individuals’ personal data, implementing the requirements of Article 8 of the EU Charter of Fundamental Rights, which supports the interpretation that Article 15(1)(c) GDPR gives data subjects the right to obtain information about the specific recipients to whom the personal data concerning him or her have been or will be disclosed.
6 The right to the protection of personal data is not an absolute right
The ECJ emphasized that GDPR’s right to personal data protection is not an absolute right but must be balanced with other rights, per recital 4 GDPR and Facebook Ireland and Schrems case (C‑311/18, EU:C:2020:559). Data access may be restricted to categories of recipients when the recipients are not yet known. Under Article 12(5)(b) GDPR, controllers can refuse manifestly unfounded or excessive requests.
7 ECJ’s answer to the question referred
- The ECJ concluded that Article 15(1)(c) of the GDPR:
- must be interpreted as meaning that the data subject’s right of access to personal data concerning him or her entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients
- can be exempted from when it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.