Where a controller has disclosed or will disclose a data subject’s personal data to a recipient, the GDPR 1) imposes obligations on controller to inform about the recipient, and, 2) gives the data subject (correlative) rights to information about the recipient. In this blog post, I will give a non-exhaustive overview of 1) and 2).

In a previous blog post on the ECJ’s assessment in Österreichische Post AG, Case C‑154/21, I discussed answers to the questions 1) what does “recipient” mean?, 2) who can be regarded as recipients of personal data?, 3) what are the controller obligations to inform about recipients?, and 4) what are the data subject rights to information about recipients?

1 Recipient information: Controller-to-Supervisory Authorities

1.1 Record of Processing Activities

Article 30.1 (d) GDPR imposes an obligation on controllers to inform the Supervisory Authority (on request) about the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations. In Österreichische Post AG, Case C‑154/21, the ECJ did not settle whether Article 30 GDPR imposes an obligation on the part of the controller to provide the data subject with the actual identity of recipients. However, the guides of several Supervisory Authorities require that controllers provide information about recipients including the name and contact details of the processors which process personal data on behalf of the controller as well as the name and contact details of the sub-processors that process personal data on behalf of the processor.

1.2 Data Breach Notification and Prior Consultation

Beyond the obligation in Article 30.1 (d) GDPR, there are several situations in which controllers are obliged to inform Supervisory Authorities about recipients to whom the personal data have been disclosed including 1) when the recipient is a data processor that processes personal data on behalf of the controller and where the processor has had a data breach (Article 33 GDPR), and, 2) when the controller is obliged to consult the Supervisory Authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing carried out by the processor would result in a high risk in the absence of measures taken by the controller to mitigate the risk (Article 36 GDPR).

2 Recipient information: Controller-to-Data Subjects

When the legal basis for processing a data subject’s personal data is the data subject’s consent, Article 4(11) GDPR, Article 6.1(a) GDPR, Article 9.2(a) GDPR, Article 22.2(a) GDPR and Article 49.1(a) GDPR, Article 18.2 GDPR impose an obligation on controllers to inform data subjects about the controllers’ joint-controllers including their the name and contact details. When a data subject has given his or her consent to a controller and a joint-controller, the data subject has a right to withdraw the consent in relation to both the controller and the joint-controller, which means that the controller must enable the data subject to withdraw his or her consent in relation to the joint-controller, who is named and where its contact details are included. See Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.1, Adopted on 4 May 2020, point 65.

2.2 Privacy notice

The data subject’s right right to information according to Article 13.1(e) GDPR, Article 14.1(e) GDPR, Article 14.1(f) GDPR, Article 14.1(f) GDPR and Article 14.3 (e), entails where the data subject’s personal data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with information about the recipients or categories of recipients of the personal data. In Österreichische Post AG, Case C‑154/21, the ECJ did not settle whether Article 13 and 14 GDPR impose an obligation on the part of the controller to provide the data subject with the actual identity of recipients. Article 29 Working Party Guidelines on transparency under Regulation 2016/67 says that “(t)he term “recipient” is defined in Article 4.9 as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” [emphasis added]. As such, a recipient does not have to be a third party. Therefore, other data controllers, joint controllers and processors to whom data is transferred or disclosed are covered by the term “recipient” and information on such recipients should be provided in addition to information on third party recipients. The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers opt to provide the categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.”.

2.3 Data Subject Rights: Objection to Legitimate Interest

When the legal basis for processing a data subject’s personal data is the legitimate interests pursued by the controller or by a third party according to Article 6.1(f) GDPR, Article 21.5 GDPR gives the data subject, in the context of the use of information society services, a right to exercise his or her right to object by automated means using technical specifications. This means that the controller must enable the data subject to object to the legitimate interests pursued by the controller or by a third party, who is named and where its contact details are included.

2.4 Data Subject Rights: Access Right

In Österreichische Post AG, Case C‑154/21, the ECJ settled that the data subject’s right of access to personal data concerning him or her, according to Article 15(1)(c) GDPR, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients. This obligation can be exempted from when it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.

2.5 Data Subject Rights: Right to be informed of the specific data recipients when controller informs data recipients of the exercise of the data subject’s rights

GDPR Article 19, second sentence obliges controllers to inform data subjects of all recipients upon request, which in turn gives data subjects the right to know recipients in the context of the controller’s obligation to inform all the recipients of the exercise of the data subject’s rights under Article 16, Article 17(1) and Article 18 of the GDPR.

3 Recipient information: Processor-to-Controller

Article 28.2 GDPR imposes an obligation on the processor to inform controllers on behalf of which the processor is acting about existing and new sub-processors which process personal data on behalf of the processor. The information about existing and new sub-processors include the name and contact details of the sub-processors as well as information about processing locations. The processor can only use a sub-processor with a prior specific or general written authorisation of the controller so that the controller is given control over who processes personal data on the controller’s behalf.

4 Recipient information: Processor-to-Supervisory Authorities

Article 30.2 (a) GDPR imposes an obligation on processors to inform the Supervisory Authority (on request) about the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting. This means that, in addition to the obligation to inform the Supervisory Authority about all data controllers on behalf of which the processor is acting, the processor also has an obligation to inform about its sub-processors which process personal data on behalf of the processor. By requesting to see a processor’s record of processing activities, the Supervisory Authority will get access to information about the actors involved in the supply chain of personal data processing, and can from thereon request 1) that the processor informs about the legal basis for using sub-processors, and 2) whether the processor informs the controller about sub-processors (Article 28 GDPR).

5 Recipient information: Controller internally

Article 5.2 GDPR  imposes an obligation on controllers to be able to demonstrate compliance with, paragraph 1 (‘accountability’). This requires controllers to map out and document all its personal data processing activities including documenting the actual identity of recipients of personal data. This also follows from Article 24.1 GDPR.

By Georg Philip Krog, Chief Legal Counsel at Signatu