A recent ruling of the Court of Justice of the European Union (CJEU) placed an increased burden on companies dealing with data subject access requests (DSARs) under the General Data Protection Regulation (GDPR) by requiring data controllers to provide information on individual recipients of personal data.
Companies face various legal uncertainties when receiving DSARs pursuant to Article 15 of the GDPR. The content of information that a controller must provide to the data subject in the context of a DSAR remains unclear despite various guidelines. Article 15(1)(c) of the GDPR leaves room for interpretation over whether the data subject has a right to be informed about the 'individual recipients' or 'categories of recipients' to whom its personal data has been or will be disclosed.
Clarity from the CJEU
On January 12, 2023, the CJEU ruled that, if requested, the data controller must inform the data subject of the identity of the recipients to which personal data has been, or will be disclosed (C‑154/ 21). Companies cannot choose to rely on categories of recipients, but must disclose each individual recipient if the data subjects request it. The CJEU also made clear that this right of the data subject is not absolute. Rather, the CJEU held that if it is impossible to identify those recipients or if the data controller can prove that the DSAR is manifestly unfounded or excessive, they may indicate only categories of recipients.
Practical implications of the CJEU’s ruling
The CJEU’s ruling substantially increases the burden on companies dealing with DSARs. To be able to comply with DSARs in the future, companies should review their current data governance processes and extensively map out the (potential) recipients of personal data.
Notwithstanding the severe implications of the CJEU’s ruling, companies could rely on limitations imposed by the material scope of Article 15(1)(c) of the GDPR. It could potentially be argued that a data subject’s right to request information on recipients does not necessarily extend to sub-processors. Although it cannot be ruled out that a data protection authority may take a different view, companies could assert that Article 15(1)(c) of the GDPR only requires companies to inform the data subject of the recipients, not any subsequent recipients. Additionally, companies may, on a case-by-case basis, rely on the exemptions laid out by the CJEU, as a DSAR for information on sub-processors could prove to be excessive.
The CJEU does not clarify whether information on specific recipients must also be provided in cases in which the respective DSAR simply copies the wording of Article 15 (1)(c) of the GDPR. It could be argued that a data subject referring to both recipients and categories of recipients has exercised his right of choice in such a manner that the data controller is free to provide only information on categories of recipients. Yet, a data protection authority could assert that even in cases like these, the data controller must, for the benefit of the data subject, identify the recipients.
The CJEU also does not comment on whether the controller must map what categories of personal data each individual recipient receives and for what purpose. It can therefore be argued that it would not be necessary to inform the data subject of which categories of personal data have been, or will be disclosed to each individual recipient and the purpose of the disclosure.
Will the CJEU’s ruling impact the scope of the GDPR’s transparency obligations?
According to the transparency obligations in Articles 13(1)(e) and 14(1)(e) of the GDPR, the controller is obliged to provide information on ‘the recipients or categories of recipients’ of personal data. Nonetheless, it seems very unlikely that the CJEU will adopt the same broad interpretation for the information on recipients to be provided in privacy notices. The ruling clearly distinguishes between Articles 13 and 14 of the GDPR and Article 15 of the GDPR. The CJEU highlights that, in contrast to Articles 13 and 14 of the GDPR, Article 15 provides an actual right of access for the benefit of the data subject. Furthermore, Article 29 of the Working Party’s ‘Guidelines on Transparency under Regulation 2016/679’ does not preclude a data controller opting for the provision of categories of recipients rather than individual recipients, as long as they are sufficiently specific.