Every individual has the right to know to whom his or her personal data have been disclosed, the Court of Justice recently affirmed. It is only in exceptional circumstances that it is permissible for the controller of such data to indicate only the categories of recipients, rather than identify the actual recipients themselves.
Among other rights enjoyed by a data subject in terms of the General Data Protection Regulation (GDPR) is the right of access to one’s personal data. In terms of this right, the data subject is entitled to obtain from the controller not only a confirmation as to whether or not personal data concerning him or her are being processed, but also access to any such
personal data, as well as other specific information. The latter includes information on the recipients or categories of recipient to whom the personal data have been or will be disclosed.
The facts of this case were briefly as follows.
An individual requested the principal operator of postal and logistical services in Austria to disclose to him the identity of the recipients to whom it had disclosed his personal data, quoting his right to do so in terms of the GDPR. The postal operator merely replied that it uses personal data, to the extent permissible by law, in the course of its activities as a publisher of telephone directories and that it offers such personal data to trading partners for marketing purposes. The individual concerned brought proceedings against the operator before the Austrian courts, with a view to ascertaining the identity of the recipients of his personal data.
In the course of these proceedings, the operator further informed the individual that his data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and associations such as charitable organisations, NGOs or political parties. Nonetheless, the national court seized of the case filed a preliminary reference before the CJEU, requesting guidance as to whether the GDPR leaves the data controller the option to disclose either the specific identity of the recipients or only the categories of recipient, or whether it gives the data subject the right to obtain the specific identity of the recipients of one’s personal data.
Such judgments serve to provide legal certainty
The court affirmed that, in terms of the GDPR, and upon the request of the data subject, where personal data has been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject with the actual identity of such recipients.
It is only in specific circumstances, such as where it is not, at that point in time, possible to identify such recipients, or where the controller demonstrates that the request being put forward by the data subject is manifestly unfounded or excessive, that the controller may indicate only the categories of recipient in question.
The court observed that the data subject’s right of access is necessary to enable the individual to exercise other rights conferred by the GDPR. Such rights include the right to rectification of one’s personal data, the right to be forgotten, the right to restrict the processing of one’s data, the right to object to processing or right of action where he or she suffers damage.
The wide interpretation afforded by the CJEU to the rights of data subjects as enshrined in the GDPR serves to ensure the utmost protection of an individual’s personal data, as part of his or her fundamental rights and freedoms.
Such judgments also serve to provide legal certainty in an area of law where it is often indispensable for a delicate balance to be struck between the rights of data subjects and the need of entities to process personal data for the purposes of providing specific services or complying with a regulatory framework.
Mariosa Vella Cardona is a freelance legal consultant specialising in European law as well as a visiting examiner at the University of Malta.