In January 2023, the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) in Case C-154/21, reached the decision that “every person has the right to know to whom his or her personal dataInformation which relates to an identified or identifiable natural person. has been disclosed [to]”. This judgement was announced following a dispute at The Austrian Supreme Court between an Austrian resident and the Austrian Postal Service, Österreichische Post.
The resident of Austria requested the postal service to disclose the identity of the recipients of whom his personal data had been shared. The Austrian Postal Service stated that it uses personal data to the extent permissible by the law, offering personal data to trading partners for marketing purposes, but not clearly outlining the exact identities of the recipients. During the proceeding, the Austrian Postal Service further clarified that the data had been forwarded to processors and third parties, including:
The Austrian Supreme Court, was then left with the question; does the GDPR leave the data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. with the choice to disclose either the specific identity of the recipients or only the categories of recipient; or whether it gives the data subjectAn individual who can be identified or is identifiable from data. the right to know their specific identity?
This was the question put before the CJEU.
In this blog, we will look at the case in question, discuss what this means for your organisation, and what you should now do in order to ensure compliance with the new ruling.
The CJEU made it clear that data subjects have the right to know who is in receipt of their personal data. The Court stated:
“…Where personal data has been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients. It is only where it is not (yet) possible to identify those recipients that the controller may indicate only the categories of the recipient in question…”
The Court also added the caveat that the request can be rejected, as long as the controller can demonstrate that the request is manifestly unfounded or excessive.
In this case the CJEU has interpreted Article 15(1)(c) in a broader context and considered the objectives of the GDPR, ruling that data subjects have the right to know who has their data. To further the decision, the Court stressed the following points:
This decision could potentially have an impact for many small and medium organisations, but it is also an important decision in terms of data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling.. The CJEU made it very clear that the right of access is essential to enable data subjects to exercise their other rights conferred by the GDPR. This includes the right to rectification, right to erasureA qualified right under the GDPR allowing for data subjects to request that their personal data be erased (subject to exemptions)., right to restriction of processing, right to object to processing or the right of action if they have suffered damage.
Although this judgement does not give data subjects a new right, it extends to the right of access to data subjects. It also affirms that data subjects should have a right to know where their data is going and for what reason it is being shared with a third party.
To begin with, go back to your data maps and work out where your data is going and where all your vendors are located. You will need to ensure that this is up to date and accurately reflects the journey the personal data you collect takes. At this stage, you should also consider looking at your Records of Processing Activities (RoPA) and ensure they remain reflective of your processing activities. If any major changes have been made to your data map, or if your processes have changed, your RoPA should be updated to reflect this. You should also ensure that you have conducted vendor due diligence on any new vendors as this will help to demonstrate that you are accountable for your sharing and processing of personal data.
Your next priority should be to update your privacy policiesA term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’). to list your data processorsThird parties processing personal data on behalf of a data controller. and third party vendors. This will demonstrate transparency to your data subjects. This will also encourage your data subjects to go to the privacy policy to find this information, rather than ask you directly to provide it.
You should update any other existing notices to reflect this change. This includes any policies and procedures that discuss data subject rights. These may need to be updated, and the staff dealing with data subject requests will need to be made aware of any changes.
As well as ensuring that your organisation is respecting all the other rights that the GDPR grants data subjects. The CJEU made it clear that the right to know where a subject’s personal data is going (and to whom) forms a crucial part of the right of access. Further adding that the “right of access is necessary to enable the data subject to exercise other rights conferred by the GDPR”. It is important that you consider and understand how your company upholds other data subject rights and how this new judgment ties in. You should ensure that any rights exercised by your data subjects are communicated to any data processors or third-party vendors involved. For example, will the third party processor support you when one of your data subjects wants to update their address or wants to obtain a copy of their data?
This judgment is a significant clarification for organisations and could push them to change a lot of their processes and policies. If your organisation has data subjects in the EU or you are a data processorA third party processing personal data on behalf of a data controller. for an EU based data controller, you will need to ensure that you fulfil this decision and provide a mechanism for providing this information to data subjects (especially if they request it).
If your organisation processes personal data on EU resident data subjects, or if you would like more Data Protection Services, complete the form below and someone from our team will be in contact.
Fill in your details below and we’ll get back to you as soon as possible