„Right of access“ claims under data protection law have long since become part of everyday business life and often mean a great deal of effort for the companies concerned. The question arises as to whether this effort will become even greater following an ECJ decision issued in January.
According to Article 15 GDPR, a data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed. If this is the case, he or she also has the right to know further details, such as the purposes of processing or categories of personal data. However, it has long been disputed whether this right also includes the obligation of companies to inform the data subject of the identity of all recipients of the respective data.
Article 15 (1) (c) GDPR provides for a choice in this regard. It states that "recipients or categories of recipients" must be named. It was previously unclear whether the data subject or the company responsible should have the right to choose.
Decision of the ECJ
In its ruling of January 12, 2023, the ECJ (Case C-154/21) has now decided that the data subject has the right to choose whether he or she wishes to be informed of all recipients or only the categories of recipients. An obligation to disclose the specific identity of the recipients therefore exists in principle if the person requests this from the company. According to the ECJ, however, this right does not apply without restriction. It does not apply if it is impossible for the controller to specifically name the individual recipients or if the requests from the data subjects are obviously unfounded or excessive.
In order to be able to assess the impact of this decision on the practice of companies, it is necessary to take a closer look at the specific circumstances of this ECJ decision. Specifically, the decision concerned a dispute about a data subject's right to information against Austrian Post. Initially, Austrian Post had merely stated to the data subject that it used data, insofar as this was legally permissible, in the course of its activities as a publisher of telephone directories and offered these personal data to business customers for marketing purposes. It also referred to a website for more detailed information and further data processing purposes. In the course of the legal dispute, Austrian Post then informed the data subject that the personal data had been processed for marketing purposes and passed on to customers, which had included advertising companies in the mail order and stationary trade, IT companies, address publishers and associations such as donation organizations, non-governmental organizations (NGOs) or political parties.
The ECJ based its legal reasoning primarily on the fact that by exercising their rights of access, the data subjects must also be able to check whether the data are being processed in a permissible manner. In addition, it must also be made possible for the data subjects to exercise the other rights (deletion, restriction, right of objection) and to seek possible legal remedies.
Impact of the Decision on Practice
A look at the categories of recipients involved in this specific dispute (advertising companies and customers for marketing purposes) shows that this is a case of data being passed on to a seperate data controller, which then used the data for its own purposes (namely marketing purposes). In such cases, according to the ECJ's decision, there is always an obligation to name all individual recipients if they are known to the controller.
The ECJ did not explicitly address the question of whether the right to information also extends to all processors and their subprocessors. Particularly in the case of complex data processing such as SaaS and cloud services, a very large number of subprocessors can be used for even the smallest ancillary activities, which in case of doubt are "recipients" of data according to the definition of the GDPR. Unlike to seperate controllers, processors are not allowed to process data for their own purposes, but always only undertake the processing of data on behalf of the controller. The rights of the data subject, such as rights of access, erasure or rectification, are in each case directed exclusively against the controller(s), not against individual processors. The data subject can therefore effectively exercise all his or her rights under the GDPR if he or she knows the controllers. However, knowledge of all individual processors and all further sub-processors is precisely not necessary for the enforcement of the rights of the data subject. In our view, it can thus be further argued that the data subject's right of choice only applies to responsible controllers and that the naming of categories of recipients is still sufficient for processors.
Practice Tip
If a company receives a request for access, it should first be checked to what extent the information is specifically requested. Only if it is expressly requested that all recipients be named has the data subject exercised his or her right of choice (as understood by the ECJ).
Companies should generally check whether their current documentation is sufficiently prepared for requests for access. In any case, if data is transferred to third parties who process data under their own data controllership, companies must be able to name the individual recipients. The specific processors used should also be easily retrievable by companies. The information can either be provided directly in the register of processing activities or in separate lists. In any case, the documentation should always be kept up to date and reviewed regularly. It is also advisable to check whether information is available from all processors used about their subcontractors. Here, too, a routine for documentation should be established.