The Austrian Federal Administrative Court (“AFAC”)1 held2 a data subject has the right to be fully informed which specific personal data has been disclosed or will be disclosed to a recipient by the data controller.3 According to the AFAC it is not sufficient that the data controller only discloses the specific recipients to which personal data is transferred. This incomplete form of information does not enable the person concerned to make effective use of the rights granted by the GDPR (e.g. claiming damages) because the transmitted data may no longer be available with the recipient. In such a case, even a request for access addressed to this recipient would not provide the desired information.
The AFAC did not follow the view of the Austrian Data Protection Authority (“ADPA”)4, which ruled on the case as the first instance. The ADPA had held that it is in any case sufficient, in the course of responding to a right to access request, to disclose the respective recipients. Disclosing the specific personal data for each recipient was not regarded as necessary by the ADPA.
According to the AFAC, the interpretation of the wording as well as a systematic interpretation of Article 15 (1) GDPR require the controller to disclose the specific data transmitted to each specific recipient. This principle equally applies to the specific data which will be transmitted in the future.
According to information by the AFAC of 27 November 2020, the ADPA filed an official appeal against the decision. The decision of the Austrian Supreme Administrative Court (“ASAC”)5 is still pending. In the meantime, the ADPA seems to have adopted the view of the AFAC, since it held in a decision from 24 April 20206 that a controller has to disclose the specific data transmitted to the specific data processors to the data subject.
Implications for other aspects of the right to access
However, the AFAC did not clarify whether the specific personal data processed has to be provided equally under Article 15 (1) (a)-(b), (d) and (g)-(h) GDPR.7 This aspect was not subject of the complaint. Since this information is similarly intended to enable the data subject to make proper use of the rights granted by the GDPR, the question must be answered in the affirmative. The underlying ratio is that the lawfulness of the processing may also depend on the specific data processed.
As a result, the decision of the AFAC requires the controller to review each part of Article 15 (1) (a)-(h) GDPR on basis of a step-by-step approach and relate the required information fully to the specific data processed. Accordingly, any fulfilment of a right to access request must follow a structure that allows the data subject to understand which information relates to which specific personal data. This can only be achieved by structuring the information required by Article 15 (1) GDPR according to the specific purposes of the data processing.
Implications for other aspects of the GDPR
The right to information on the specific content of the transfer to a recipient must be thoroughly examined. Especially similar obligations of the controller to disclose recipients, according to the information requirements pursuant Articles 13 (1) (e) and 14 (1) (e) GDPR and for the documentation in the records of processing activities purusant Article 30 (1) (d) GDPR have to be revised.
Neither Articles 13 (1), 14 (1) nor Article 30 (1) GDPR contain an obligation to provide information and documentation on the specific personal data processed. Further, the list of additional information to be provided or documented on the data processing do not explicitly refer to the specific personal data processed. Although all three obligations have a similar structure, a textual interpretation of Articles 13, 14 and 30 GDPR fails in the light of the above-mentioned differences.
Rather, it will be sufficient and appropriate to justify the outcome of the decision by the AFAC with the purpose of Article 15 GDPR, which is to ensure that the data subject is fully informed to be able to verify the lawfulness of the processing and to exercise their rights.
This is also precisely the purpose of the information pursuant to Articles 13 and 14 GDPR. This information is intended to enable the data subjects to assess, in abstract form the lawfulness of the processing of their data by the controller at the time of their collection (Article 13 GDPR) or at least up to one month thereafter (Article 14 GDPR). For these purposes, the data subject requires information on the processing with the level of granularity expressly required by the AFAC with regard to the information on the content of a transmission to a specific recipient pursuant to Article 15 (1) (c) GDPR.
Therefore, it must be concluded that for the information pursuant to Article 13 GDPR, reference to specific processing activities or purposes is required, meaning the notification of the recipients pursuant to Article 13 (1) (e) GDPR must be linked to them.8 In practice, this leads to a considerable need for revision of a large amount of privacy notices.
What applies to privacy notices also applies to Article 30 records. Even though such a directory does not have to be made available to data subjects as a data subjects right, it provides the basis for Articles 13, 14 and 15 within a controllers’ data protection compliance system: If the Article 30 record does not contain information on which personal data has been or is to be disclosed to which recipient, the controller responsible will not be able to properly fulfil his (other) obligations. Therefore, the obligation to record processing activities pursuant to Article 30 (1) GDPR is also subject the AFAC decision and the obligation of controller to disclose the specific content of transmissions to any recipient.
In view of the almost identical obligations to Directive 95/46/EC, there are no reasons to believe that the rights of data subjects should be reduced by the GDPR, especially since the EU legislator rather intended to strengthen the rights of data subjects with their new regulation.9
1 Bundesverwaltungsgericht or “BVwG”.
3 Pursuant Article 15 (1) in conjunction with Article 15 (1) (c) GDPR.
4 Datenschutzbehörde or “DSB”.
5 Verwaltungsgerichtshof or “VwGH”.
7 Article 15 (1) (c) being the provision dealt with in this decision, while Article 15 (1) (e) and (f) concern the information about the rights of the data subject.
8 The same applies to 14 (1) (e) GDPR.
9 See Articles 10, 11 (Information) und Article 19 (records of processing activities) Directive 95/46/EC.