Right of access to personal data: a right to know the identity of the recipients or categories of recipients?

SÉRVULO PUBLICATIONS 08 Feb 2023

On 12 January 2023, the Court of Justice of the European Union (“CJEU”) delivered a judgment[1] stating that article 15(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”), hereinafter “GDPR”, must be interpreted as meaning that the data subject’s right of access to personal data concerning him or her entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the identity of those recipients.

Right of access to personal data

Article 15 of the GDPR gives any natural person a right of access to his or her personal data that are being processed. This right consists, primarily, in the ability to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If that is the case, the data subject may, secondly, demand to know which personal data are being processed and obtain the information listed in the referred article, including the recipients or categories of recipients to whom the personal data have been or will be disclosed. 

The dispute

An Austrian citizen exercising the right of access under article 15 of the GDPR, requested to Österreichische Post AG, an Austrian postal service company and data controller, access to personal data concerning him and, if disclosed to third parties, the identity of those third parties. Faced with the refusal of access to this information, the Austrian citizen brought an action in the national court. During the judicial proceedings, the controller only disclosed the information regarding the categories of recipients.

Both the national court of first instance and the court of appeal concluded that, as article 15(1)(c) of the GDPR refers to “recipients or categories of recipients”, this grants the controller the possibility to disclose only the categories of recipients. The Oberster Gerichtshof (Supreme Court of Austria) decided to suspend the proceedings and refer the question on the interpretation of article 15(1)(c) of the GDPR to the CJEU.

Analysis of the CJEU

While acknowledging that the wording of the GDPR is unclear in relation to the order of priority between “recipients” and “categories of recipients”, the CJEU states that this is a choice of the person exercising the right of access, which is somewhat different from the obligation imposed by articles 13 and 14 of the GDPR on the controller to provide the data subject, on his own initiative, with information relating to the categories of recipients or the recipients of the personal data. The CJEU believes that article 15 of the GDPR provides a right of access in favor of the data subject which gives him or her the option to obtain information concerning the recipients to whom the personal data have been or will be disclosed whenever this is possible.  

The CJEU also mentions the fundamental idea that the right of access is necessary to enable the data subject to exercise other rights under the GDPR, such as the right to rectification, the right of erasure and the right to restriction of processing. In other words, to ensure that those rights can be exercised, the data subject must know the identity of the recipients in the event that the respective personal data have already been disclosed.

Finally, transparency in the processing of personal data is a fundamental principle, as provided in article 5(1)(a) of the GDPR, which implies that the data subject must have information on how his or her personal data are processed and by whom. Thus, the information disclosed to the data subject under the right of access must be as accurate as possible, this being the interpretation that, according to the CJEU, best corresponds to the main purpose pursued by the GDPR: to ensure a high and consistent level of protection for individuals in the European Union. 

Joana Filipe Agostinho | jfa@servulo.com