When an individual makes a “subject access request” under the GDPR, they have a right to know how personal data about them is shared.
But does the organisation receiving the request (the controller) have to tell the individual exactly which companies have received the individual’s personal data? Or is it enough to simply explain which types of organisations have received the data?
This question was answered on 12 January 2023 by the Court of Justice of the European Union, in case C‑154/21 concerning Österreichische Post (“Austria Post”).
This decision has major implications for transparency under the GDPR—and it might also prompt controllers to be more careful about how they share people’s data.
A Request to Austria Post
Austria Post is the main operator of postal services across Austria. An individual (known as “RW” in the judgment) submitted a subject access request to Austria Post, asking:
- Whether Austria Post held any personal data about him.
- Whether Austria Post shared any personal data about him.
- If so, the identities of the recipients of his personal data.
Austria Post’s first response to RW was quite vague. The company said that it shares personal data with its trading partners for marketing purposes, and directed RW to its website for more information.
RW was unhappy with this response. So he took Austria Post to court.
The First Court
RW asked the court to order Austria Post to tell him the specific recipients of his personal data.
Austria Post’s next response was somewhat more detailed. According to the CJEU judgment, the company told RW that it shared his information with:
- Stationary outlets
- IT companies
- Mailing list providers
- Charitable organisations
- Non-governmental organisations (NGOs)
- Political parties
The first instance court said that this was a satisfactory response from Austria Post. But it still wasn’t enough information to satisfy RW, so he appealed.
RW argued that Austria Post hadn’t met its obligations under Article 15 of the GDPR, which sets out the “right of access”.
Article 15(1)(c) says that individuals are entitled to information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed”.
RW claimed Austria Post had to tell him about the specific recipients of his personal data. But the appeal court rejected this argument.
The court interpreted the GDPR as providing controllers with a choice between revealing either:
- The recipients of personal data (e.g. Google), or
- The categories of recipients of personal data (e.g. “advertisers”).
RW disagreed, maintaining that Austria Post must tell him the specific recipients of his data. So he took his case to the Austrian Supreme Court.
The Supreme Court’s Question
The Austrian Supreme Court was unsure how to interpret the GDPR.
There are clearly two options under Article 15(1)(c). Individuals are entitled to information about “the recipients” or “the categories of recipients” of their personal data.
But who gets to choose?
- The individual requesting the information, or
- The controller providing the information?
The Supreme Court noted one thing in particular: The main point of the GDPR’s “right of access” is to enable individuals to check whether their personal data is being processed lawfully.
If the controller gets to choose whether or not to tell the individual who exactly has received the individual’s personal data, that might defeat the object of the right of access.
The Supreme Court referred the case to the CJEU.
The CJEU Judgment
At the CJEU, RW won the argument.
The CJEU decided that individuals have the right to information about the “specific recipients” of their personal data.
This means controllers must, on request, inform individuals of the identity of any person or organisation that has received—or will receive—personal data about that individual.
The CJEU noted that the wording of the GDPR was ambiguous. But there were several factors in favour of the “specific recipients” interpretation, including the following:
- Elsewhere in the GDPR, at Recital 63, the law mentions the right to information about “recipients” without mentioning “categories of recipients”.
- The GDPR imposes a general principle of transparency. Concealing information about specific recipients might violate this principle.
- Denying the individual information about the specific recipients of their personal data might prevent them from exercising their rights—for example, to rectify, erase or restrict the processing of that data.
Ultimately, though, the CJEU noted that “the right to the protection of personal data is not an absolute right”. There might be circumstances in which “it is not possible to provide information about specific recipients”.
The CJEU did not provide any examples of when disclosing specific recipients might not be possible. However, the EU’s Advocate General gave an opinion on the case in June 2022.
The Advocate General suggested that sometimes it might be “materially impossible” to reveal the specific recipients because they “have not yet actually been identified”—and the controller “cannot be expected to communicate information that does not yet exist”.
And bear in mind that the usual exception to subject access requests still applies—controllers can refuse to fulfil a request that is “manifestly unfounded or excessive”.
A Higher Standard of Transparency
Overall, this judgment will greatly improve transparency about data-sharing.
It suggests that if an individual makes a valid request for information about the recipients of their personal data, the controller must provide this information unless it is literally impossible to do otherwise.
Here are some steps to respond to this important case:
- Keep careful records of which individuals’ personal data you might share with which other organisations (e.g. vendors, other controllers, law enforcement agencies).
- Be transparent and specific about the identities of anyone with whom you share personal data. You can reveal the identities of recipients in your privacy notice. You must reveal them following a valid request.
- Be very careful if you decide to deny a request for information about the specific recipients of an individual’s personal data.
The Austria Post case sets a high standard for subject access requests.
If your organisation was ever reluctant to share information about the specific recipients of people’s data, that now has to change.