ECJ tightens requirements for GDPR disclosures

The European Court of Justice (ECJ) has ruled that data controllers must, in principle, disclose the identity of the recipients to whom they have disclosed data in a GDPR access request. The often practiced approach of only notifying categories of recipients is not sufficient.

Key Facts

European Court of Justice (ECJ) rules on GDPR requests for information and identity of data recipients
As a rule, data controllers must name recipients of data precisely.
Naming only categories is no longer sufficient.
Importance of transparency in data processing emphasized.
The right to information is the basis for further rights, including compensation.
Exception: Categories only in the case of non-identifiable recipients or obvious unfoundedness.
Since 12.01.2023, information must be adapted to the new jurisdiction.

So if you want to know the exact recipients, you usually have to have them named exactly.

The ECJ thus strengthens the right to information under the General Data Protection Regulation. The court emphasizes the importance of transparency in data processing: data subjects must be able to verify whether data is being processed lawfully. The right to information is the basis for other rights, from rectification to compensation.

The naming of categories of recipients is only sufficient as an exception if the recipients cannot be determined or the request for information would otherwise be manifestly unfounded or excessive.

This question of detail has been quite controversial so far, because the wording of Art. 15 para. 1 lit. c DSGVO allows information to be provided both about recipients and only about categories of recipients. However, the ECJ has now clarified that what matters is who requests the information and not who has to provide it.

So whoever processes personal data should prepare for this jurisdiction, because since 12.01.2023 the corresponding information must be adapted!

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Case law Damages General Data Protection Regulation Personal data Privacy Regulation