Share This Article
The European Court of Justice (CJEU) delivered a ruling leading to major discussions, mandating controllers to inform data subjects of recipients’ names upon exercising their privacy right of access under GDPR unless specific exceptions apply.
The case on the GDPR right of access
The case pertained to a GDPR right of access request exercised by an individual towards Österreichische Post, the main operator of postal and logistics services in Austria, to inform him of the identity of the recipients to whom it had disclosed his personal data.
On the matter, Article 15 of the GDPR regulates the right of access and provides that data subjects have the right to obtain from the data controller the information
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
And indeed, the Österreichische Post merely stated in the response that it uses personal data to the extent permitted by the law, as part of its business as a publisher of telephone directories and that it provides such data to its business partners for marketing purposes, relying on the possibility to refer to the category of recipients of personal data merely. However, the individual was not satisfied, and the Oberster Gerichtshof (the Austrian Supreme Court) referred the case to the CJEU to seek clarification as to whether the GDPR leaves the data controller the freedom to choose to disclose either the concrete identity of the recipients or only the categories of recipients, or whether it gives the data subject the right to know their identity concrete.
The obligation to disclose recipients of data in case of access right request under the GDPR according to the CJEU
The position of the CJEU was quite straightforward since it held that
the objective of the GDPR [is] that the data subject has the right to obtain from the data controller information about the specific recipients to whom personal data concerning him or her have been or will be disclosed.
The European Court of Justice set out exceptions to such obligations, but their scope is limited. Indeed, “the right of access may be limited to information on categories of recipients if it is impossible to communicate the identity of the precise recipients, in particular when they are not yet known.“.
This position is in line with the view taken by the EDPB in its guidelines on the right of access, where it held that “the controller should [—] name the actual recipients unless it would only be possible to indicate the category of recipients“, but the EDPB guidelines are not binding while the CJEU decision is a relevant precedent.
The potential distorting effects of the decision on privacy rights
The access right is an essential right under the GDPR, and there is no doubt that individuals have the right to receive information on the data processing activities performed by data controllers. Sometimes, privacy information notices are very generic and not transparent, preventing individuals from understanding the data processing activities performed.
However, there is a fast-growing scenario of individuals who leverage their access right just to either damage a supplier that they dislike or their employer with whom they are not on good terms. These individuals perceive how burdensome the handling of an access right request for a large organization is and, even if they do not have any interest in receiving the requested information, exercise an access right to harm it and claim damages.
Both the GDPR and the above-mentioned ruling provide safeguards for data controllers, allowing the controller to “refuse to comply with the data subject’s requests when they are manifestly unfounded or excessive, it is understood that it is for the controller himself to demonstrate the manifestly unfounded or excessive nature of such requests“. But this exception is quite narrowly interpreted by data protection authorities even when individuals lodge broad access right requests where they basically request any information on their data processing without giving any sort of indication on what information they are after.
In my view, this situation does not contribute to the protection of individuals’ privacy. On the contrary, it creates a disaffection to privacy compliance within organizations since it is seen as a mere compliance obligation that does not respond to a relevant individual’s right. Hopefully, data protection authorities will take a more balanced view of the scope of this right.
Recommended actions to be undertaken following the CJEU ruling on the right of access
Under the GDPR, data controllers shall provide requested information in case of exercise of the right of access within one month of receipt of the request. This term can be extended further two months where necessary, taking into account the complexity and number of the requests, but this extension does not change much. Companies need to be prepared to deal with such requests. The CJEU ruling adds a layer of complexity since organizations often do not map in their record of data processing or any other database the names of the recipients of each category of personal data, while they shall track this information.
At DLA Piper, we developed an artificial intelligence system that can review the documentation subject to the access right request saving a massive amount of time in identifying the information to be provided. But, even with this technology, if a company is not aware of the actual recipients of data, it will not be able to respond properly.
The CJEU ruling requires companies to run a data mapping exercise of the recipients of each category of data. Besides, this ruling might uphold data protection authorities’ views that any information to be provided to individuals in case of access right request shall have the same level of detail. I don’t entirely agree with this approach, but organizations need to live with that and shall get ready to deal with these requests.
On a similar topic, you may find the following article interesting “Right for consumer associations to file GDPR related lawsuits upheld by CJEU“.
