On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients. The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”
According to the Court, this interpretation of Article 15(1)(c) GDPR is in line with the GDPR’s principle of transparency and is necessary to enable data subjects to exercise their other GDPR rights (e.g., right of rectification, erasure and opposition). This interpretation is also confirmed by Article 19 GDPR, which expressly grants data subjects the right to receive from the controller the name of each data recipient, in the context of the controller’s obligation to inform all the recipients of the exercise of the data subject’s rights of rectification, erasure and opposition.
The Court’s decision only applies to the right of access. It is not clear that the same would apply to the transparency provisions in Article 13 and 14 GDPR which also refer to “recipients or categories of recipients”.
* * *
There are a number of other cases on the GDPR’s right of access pending before the Court (e.g., see blog posts on two other cases). The Covington Privacy and Cyber team will continue to monitor these cases and report on any relevant Court decisions or Advocate General opinions.