Right of access includes the right to know the identity of recipients

By: Courtney Don

As a data subject you have the right to access the processing of your personal data based on the General Data Protection Regulation (GDPR). Part of this right to access includes the right to know to whom your data has been provided. In a recent ruling, the Court of Justice of the European Union ruled that in doing so, you are also entitled to know the identity of the recipients of your personal data.


The facts

In early 2019 a man, the data subject, made a request for access to his personal data to the company Österreichische Post under Article 15 GDPR. Part of this request was to receive information about the parties to whom his personal data had been transferred. Österreichische Post responded to this request by stating that as a publisher of telephone directories, it transfers personal data to business customers for marketing purposes (to the extent permitted by law).

In response, the data subject summoned Österreichische Post to the national court, claiming that they should also disclose the identity of the recipients - and thus the exact recipients - of his personal data. In response, Österreichische Post revealed in the proceedings before the national court that the personal data had been passed on to, among others, IT companies and political parties.

According to the national court, it is sufficient to only communicate the categories of recipients to the data subject, as the GDPR mentions in Article 15(1)(c) that it concerns “the recipients or categories of recipients of the personal data”. Following this ruling, the data subject appealed to the Supreme Court. In this appeal, the Austrian Supreme Court weighed the balance between the wording in the GDPR article, which seems to leave room to communicate only the categories of recipients and, the protection of the data subject. As part of this balancing act, a preliminary question was referred to the Court of Justice of the European Union (the Court).

Preliminary question to the Court

The preliminary question to the Court seeks to clarify whether the right of access under the GDPR should be interpreted to mean that, as a data controller, you are obliged to also disclose the identity of recipients to the data subject. The preliminary question concerns both existing and future recipients of the personal data.

Considerations of the Court

The Court indicates to take into account not only the wording in the law, but also the purpose of the law (in this case the GDPR), see par. 29. The fact that the text of Article 15 GDPR first names "recipients" and only then "categories of recipients" does not mean that there is a particular order of precedence, according to the Court.

Thus, based solely on the wording from the GDPR, it cannot be determined whether the identity of the recipients should be part of the answer to the right of access.


More information?

Contact Courtney Don.

Related insights