European Top Court Confirms Companies Need To Name "Recipients" Of Personal Data When Responding To Access Requests, Not Just Categories

• Jurisdiction: European Union
• Law Firm: Goodwin Procter LLP
• Subject Matter: Privacy, Data Protection
• Author: Lore Leitner, Gretchen Scott, Joseph Ndep and Gabe Maldoff
• Published date: 27 January 2023

On January 12, 2023, the Court of Justice of the European Union ("CJEU") ruled in case C-154/21 | 'sterreichische Post AG that controllers must provide the specific identity of any "recipient" of personal data in response to a GDPR access request. While the GDPR itself states that controllers may inform individuals of the "recipients or categories of recipients," the CJEU held that disclosing "categories of recipients" is sufficient only where it is not possible to provide a specific identity or where another exception applies.

The term "recipient" refers to any person or entity to which personal data is disclosed - including all service providers and processors - not just third-party controllers. This means that controllers should maintain comprehensive current and historical lists of all other parties to which they disclose personal data. Controllers that receive high volumes of access requests may prefer to provide this information publicly, such as within a public-facing privacy policy, to reduce the burden of complying with individual access requests.

Background

In 2019, an Austrian citizen requested that 'sterreichische Post AG (responsible for the Austrian postal service) disclose to him the identities of recipients of his personal data, as part of an access request under the GDPR, which gives individuals the right to obtain information from a controller about the recipients, or categories of recipients, to which a controller has disclosed or will disclose their personal data.

'sterreichische Post AG chose to provide the individual with a description of the categories of recipients, rather than the specific identities of recipients, informing him that it uses personal data in the course of its activities as a telephone directory publisher, and that it offers personal data to trading partners for the purposes of marketing. Unsatisfied by the response, the individual brought proceedings against 'sterreichische Post AG before the Austrian Courts, seeking an order that 'sterreichische Post AG provide him with the specific identities of the recipients.

Austrian courts initially decided categories were acceptable

During the course of the judicial proceedings, 'sterreichische Post AG provided the individual with additional information about the categories of recipients. For example, 'sterreichische Post AG identified the recipients as stationary outlets, IT companies, and mailing list providers, but it did not name each recipient. Both at trial and on...