European Court of Justice (ECJ): decision of January 12, 2023, case no. C-154/21
Only in cases where it is not (yet) possible to identify the recipient, the controller can limit such information to communicating the categories of the respective recipients.
This was the only way to ensure for the data subjects to effectively exercise their rights under the General Data Protection Regulation, in particular the right to rectification, the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to object to processing or the right to legal remedies in case of damages.
Background: right to information
Pursuant to Art. 15 (1) GDPR, individuals have a right to obtain information as to whether and which of their personal data is being processed. Such right includes, inter alia, the right to be informed to what recipients or categories of recipients the personal data have been or are going to be disclosed.
So far, there has not been any binding supreme court ruling determining whether it is sufficient to inform the person requesting the respective information only of the categories of recipients or whether all recipients’ identity had to be provided. Consequently, many companies limited the information to the categories of recipients. Companies should change such approach with immediate effect when responding to any request for information.
What needs to be done?
Companies should identify in a timely manner the recipients to whom data subjects’ data are disclosed. This is the only way to ensure for the short deadline of four weeks for responding to a request for information to be met. Furthermore, it may make sense to adapt the data protection notices regarding the recipients’ identity. It is entirely possible that supervisory authorities and courts will in future also require information on all recipients in data protection notices.