- European Court of Justice (ECJ) rules on GDPR requests for information and identity of data recipients
- As a rule, data controllers must name recipients of data precisely.
- Naming only categories is no longer sufficient.
- Importance of transparency in data processing emphasized.
- The right to information is the basis for further rights, including compensation.
- Exception: Categories only in the case of non-identifiable recipients or obvious unfoundedness.
- Since 12.01.2023, information must be adapted to the new jurisdiction.
The European Court of Justice (ECJ) has ruled that data controllers must, in principle, disclose the identity of the recipients to whom they have disclosed data in a GDPR access request. The often practiced approach of only notifying categories of recipients is not sufficient.
So if you want to know the exact recipients, you usually have to have them named exactly.
The ECJ thus strengthens the right to information under the General Data Protection Regulation. The court emphasizes the importance of transparency in data processing: data subjects must be able to verify whether data is being processed lawfully. The right to information is the basis for other rights, from rectification to compensation.
The naming of categories of recipients is only sufficient as an exception if the recipients cannot be determined or the request for information would otherwise be manifestly unfounded or excessive.
This question of detail has been quite controversial so far, because the wording of Art. 15 para. 1 lit. c DSGVO allows information to be provided both about recipients and only about categories of recipients. However, the ECJ has now clarified that what matters is who requests the information and not who has to provide it.
So whoever processes personal data should prepare for this jurisdiction, because since 12.01.2023 the corresponding information must be adapted!
