Earlier this year the Court of Justice of the European Union (CJEU) weighed in on the question of disclosing the recipients of personal data in the context of data subject access requests and this was followed up by the EDPB in its recent guidance on data subject access rights.
So how should we approach the question of disclosing data recipients?
- Be aware that the identity of recipients is part of the information which may need to be disclosed. Under Article 15 EU GDPR, the data subject has the right to receive “the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.”
- Ensure you are able to disclose a full list of individual recipients if a data subject makes a request for something such as “access to their data”, “to exercise their rights under Article 15 GDPR” or specifically asks to have information on data sharing. Although it might seem like the decision between providing individual recipients or categories of the same is for the controller to make, the EDPB guidance has clarified that “if the data subject has not chosen otherwise, the controller is obliged to name the actual recipients”.
- It is not clear on the face of the guidance, but it is our view that where a data subject requests a copy of their data (rather than, as mentioned in the paragraph above, making a broad request to exercise their rights under Article 15 EU GDPR or a specific request for information on recipients), the controller is not legally required to disclose the individual recipients of the data in response to that request. By way of analogy, if a data subject made a specific request about who had received their data, it would not be appropriate to also provide a copy of the data in response to that request and so we consider the reverse to also be true. However, if the data subject clarifies that they want the information, you should, of course, provide it.
- Check if you have the right to refuse the request for the details of recipients. The CJEU confirmed that the right to receive details of individual recipients is not absolute and so if it is impossible to provide the recipients (perhaps as suggested in the case, where data will be shared but it is not yet clear who with), it may be appropriate to provide categories.
- Consider whether the request is manifestly unfounded or excessive, in which case it may be possible to refuse to comply.
- The EDPB states that where providing categories, the information should be as specific as possible by indicating “the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients”.
- If you find you are routinely being asked for details of recipients by data subjects or by regulators we recommend the best place to record a list of recipients is in the Record of Processing Activities, so that it is easily accessible if needed.
The guidance can be found here.