by Gerald Trieb//
The CJEU recently ruled on case C-154/21 concerning the right of access. The preliminary ruling proceedings were initiated by the Austrian Supreme Court; it asked in essence, whether Art 15 (1) (c) GDPR confers a right to receive the names of the recipients of personal data or whether the data subject only has a right to information about the categories of recipients. The lower courts had assumed that the controller had a right of choice; the Austrian Supreme Court had doubts and decided to refer the following question to the CJEU:
“Is Article 15(1)(c) of the GDPR to be interpreted as meaning that the right of access is limited to information on categories of recipients if specific recipients have not yet been determined at the time of planned disclosures, but the right of access must necessarily also extend to information about recipients of these disclosures if data have already been disclosed?”
The decision
The CJEU bases its assessment it in particular on the purpose of the right of access under Art 15 GDPR, which is to enable the data subject to verify the lawfulness of personal data processed about him or her and to exercise the rights under Articles 16 to 19 (right to rectification, erasure and restriction) and Art 21 GDPR (right to object). Due to these purposes and the principle of transparency in Art 5(1)(a) GDPR, the CJEU ultimately summarises its result, according to which:
“Article 15(1)(c) GDPR must be interpreted as meaning that the data subject’s right of access to the personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.”
However, not only this summary of its answer, but also his preceding discussion of the legal question leave open questions regarding the interpretation of Art 15(1)(c) GDPR in relation to the question referred and raise new questions regarding the applicability of the cited exceptions to the obligation to disclose the names of the recipients. In particular, the CJEU’s reference to Article 19 of the GDPR provides room for the argumentation that the specific recipients are only to be disclosed upon the data subject’s explicit request. This, however, would arguably contradict the goal of the right of access to inform the data subject as comprehensively as possible about the ongoing processing of personal data.
A clear answer from the CJEU also lacks in relation to the question of when an identification of the recipients cannot be possible, against the background of the accountability principle of Art 5 (2) GDPR. From the decision, one could also conclude that other interests or fundamental rights could be in conflict with the naming of recipients or that the specific recipients for future, planned transfers would first have to be determined. It also remains open whether the objection of excessiveness under Art 12(5) GDPR must concern the access request as such or can also concern the request of the data subject for the disclosure of the recipients by their name, only. The latter view would in turn support the argument that specific recipients would only have to be disclosed upon the express request of the data subject!
Moreover, the CJEU does not make a helpful statement on the relationship between the right of access and the data subject’s right to information under Art 13, 14 GDPR and the right to information on the recipients or categories of recipients also contained therein, although the Austrian Supreme Court had explicitly addressed this relationship in the justification of its order to the CJEU and also drew conclusions from this for a possible answer to its question for a preliminary ruling. However, since the CJEU points out a difference between Art 15 and these provisions, it could also be concluded that the information pursuant to Art 13 and 14 GDPR is likely to have a lower information content than that in the course of an access request pursuant to its Art 15. This result could not be reconciled with the guidelines on transparency of processing endorsed by the European Data Protection Board, though, which the CJEU did not seem to consult at all.
Conclusion
Controllers are well advised to disclose recipients of personal data by their name when responding to access requests, notwithstanding the open questions and the broad scope for interpretation of the decision. A retraction to merely informing on categories of recipients would in any case have to be justifiable without an explicit request of the data subject, though. In addition, the use of the possible exception from the obligation to name recipients should also be limited to the disclosure of recipients to whom the disclosure of the data is only intended, but has not already taken place. Otherwise, the controller risks a conflict with the accountability and responsibility principle for the data processing operations it conducts. Reliance on other interests or fundamental rights seem conceivable in this context, only. Ultimately, the CJEU’s statements are probably too vague to avoid the obligation to disclose the names of the recipients by objecting to the excessive nature of the request for information. Excessiveness must still be proven in relation to the request for access itself. However, the result could be different if the view is taken that the data subject must expressly request that the specific recipients are named. Further preliminary ruling procedures on Art 15(1)(c) GDPR will probably not be long in coming.
Dr. Gerald Trieb, Partner Knyrim Trieb Rechtsanwälte OG, Wien