Please note that all my articles are for informational purposes only and not legal advice. I assume no liability for the content of my articles. The articles may be out of date, the legal situation may have changed, or the specific situation in a case may need to be assessed differently. A binding consultation can only be given by me directly in the individual case. Take advantage of my free brief consultation!
The European Court of Justice (ECJ) has ruled that data controllers must, in principle, disclose the identity of the recipients to whom they have disclosed data in a GDPR access request. The often practiced approach of only notifying categories of recipients is not sufficient.
So if you want to know the exact recipients, you usually have to have them named exactly.
The ECJ thus strengthens the right to information under the General Data Protection Regulation. The court emphasizes the importance of transparency in data processing: data subjects must be able to verify whether data is being processed lawfully. The right to information is the basis for other rights, from rectification to compensation.
The naming of categories of recipients is only sufficient as an exception if the recipients cannot be determined or the request for information would otherwise be manifestly unfounded or excessive.
This question of detail has been quite controversial so far, because the wording of Art. 15 para. 1 lit. c DSGVO allows information to be provided both about recipients and only about categories of recipients. However, the ECJ has now clarified that what matters is who requests the information and not who has to provide it.
So whoever processes personal data should prepare for this jurisdiction, because since 12.01.2023 the corresponding information must be adapted!
Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.
