CJEU clarifies

CJEU clarifies: right of access equals knowing who received your personal data

News

13-01-2023

3 minutes read

Yesterday, the CJEU ruled that the data subject’s right of access to personal data (article 15 GDPR) entails the right to obtain information about the identity of individual recipients of the personal data that was (initially) collected and processed by the data controller to whom an access request was directed.

In principle, article 15 GDPR contains an obligation on the part of the controller to provide the data subject with the actual identity of recipients of their personal data.

The CJEU has reached this conclusion in its judgment in the case between RW and Österreichische Post (C-154/21). Important considerations in this regard are:

1. The right of access is necessary to enable the data subject to effectively exercise other rights conferred by the GDPR, namely the right to rectification of data, the right to erasure, the right to object to processing of personal data and the right of action where damage is suffered.

2. To ensure the effectiveness of these rights, the data subject should, in particular, have the right to know who the concrete recipients of his personal data were.

3. This leads the CJEU to the conclusion that the right of access entails the obligation of the controller to communicate to the data subject the identity of these recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive. It is left unclear under which specific circumstances this exception applies, but it may be expected that the threshold of successfully invoking it will be high. The utility of this exception in practice therefore remains to be seen and is likely to be further clarified in future caselaw.

This ruling will have important implications in practice. While the information obligation of articles 13 and 14 GDPR clearly states that informing the data subjects about the category of recipients of personal data suffices, in response to an access request the identity of the individual recipients must be provided. As such, controllers must ensure that they keep record of specific recipients for each data transfer. This should also be duly reflected in the record of processing activities kept by data controllers. It is likely that many controllers will have to update their documentation in this regard and/or perform new and further data mapping exercises to ensure that such information is available and duly documented at all times.

The final judgment can be found here.

For more information about the implications of this judgment or assistance with the data mapping exercise and updating of the relevant documentation, reach out to our experts from Loyens & Loeff’s Data Protection & Privacy team.