The GDPR allows individuals to request information about the “recipients or categories of recipients” to whom their personal data has been disclosed. In a recent ruling, the EU’s Court of Justice said data subjects get to choose whether they receive information about categories of recipients or specific recipients.
Article 15(1)(c) of the GDPR gives individuals the right to obtain from a controller information on “the recipients or categories of recipient to whom the personal data have been or will be disclosed” (amongst other things).
On 12 January 2023, the Court of Justice of the EU (the “CJEU”) published its decision in Case C-154/21, addressing a controller’s obligations under this provision. In the underlying case, an individual (“RW”) submitted a request to a company under Article 15(1)(c), seeking information regarding the identity of the recipients to whom his personal data had been disclosed. In response, the company identified certain categories of recipients to whom it had disclosed RW’s personal data. RW brought proceedings before the Austrian courts, seeking an order requiring the company to disclose the specific recipients of his personal data (not merely the categories of recipients). The Austrian Supreme Court referred questions on this issue to the CJEU.
The CJEU held that Article 15(1)(c) of the GDPR is not explicit on this issue, and should be read in the wider context of the objectives pursued by the GDPR. According to the CJEU, to enable individuals to verify that the processing of their personal data is lawful and exercise other rights under the GDPR, they must be allowed to know the specific identities of the recipients of their personal data where possible.
However, noting that data protection rights are not absolute, and acknowledging the principle of proportionality, the CJEU clarified that a controller may reject a request for information about specific recipients under Article 15(1)(c) if it can demonstrate that:
- It is impossible to honour the request (for example, where the recipients are not yet known), or
- The request is manifestly unfounded or excessive (with reference to Article 12(5) of the GDPR)
The CJEU’s decision suggests that each request under Article 15(1)(c) will need to be considered on a case-by-case basis to assess whether the specific identities of the relevant recipients need to be disclosed to the individual making the request. Case law and regulatory findings will ultimately provide guidance on the extent to which, and under what scenarios, exemptions apply to such disclosure, particularly given there is currently limited authority and literature on the scope of Article 12(5). Overall, businesses are likely to find that the amount of effort that is required to comply with requests under Article 15(1)(c) will increase as a result of this decision.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2023 White & Case LLP