THE BOTTOM LINE
- Default Disclosure Obligation: Companies must now identify the specific recipients of personal data when handling access requests, not just list general categories like ‘marketing partners’.
- Increased Compliance Burden: Data access procedures and record-keeping must be updated to track and disclose specific recipient identities, placing a higher operational demand on data protection teams.
- Immediate Policy Review Required: Businesses should review their GDPR policies and data maps to ensure they can comply with this stricter interpretation, as the burden of proof for not disclosing specific names now rests entirely on them.
THE DETAILS
The case revolved around a straightforward but critical question under the GDPR’s right of access (Article 15). A data subject requested to know the specific identities of third parties to whom a company, juris GmbH, had disclosed their personal data. The company argued that providing ‘categories of recipients’ was sufficient. The Court of Justice of the European Union (CJEU) was asked to clarify whether the law demands the disclosure of specific names or if broad categories suffice. This is a common point of contention, with many businesses historically opting to provide general categories for operational simplicity and to protect commercial relationships.
The Court’s judgment firmly establishes that the default rule is full transparency. It reasoned that the right of access is not an end in itself, but a tool enabling individuals to exercise their other GDPR rights, such as the right to rectification, erasure, or to object to processing. To effectively exercise these rights, a person must know precisely who has their data. Merely knowing that data was sent to ‘payment processors’ is not enough to request its deletion from a specific, identifiable company. The ruling makes it clear that the right to information must be precise to be meaningful.
However, the Court did outline two narrow exceptions where a company could revert to providing categories of recipients. This is only permissible if it is impossible to identify the specific recipients, or if the request is ‘manifestly unfounded or excessive’. Crucially, the CJEU placed the burden of proof squarely on the data controller (the company) to demonstrate that one of these conditions is met. This sets a high bar and signals that relying on these exceptions should be a rare, justifiable event, not a standard business practice for handling data subject access requests.
SOURCE
Source: Court of Justice of the European Union
