Personal data sharing: what information about recipients do we need to provide to individuals under the GDPR?
- Mark A. Prinsley,
- Oliver Yaros,
- Reece Randall,
- Ondrej Hajda,
- Ellen Hepworth,
- Alasdair Maher,
- Rebecca Keay,
- trainee solicitor
Sharing personal data is necessary for most organisations, but it also entails certain data protection risks. Controllers who share personal data with others must, among other obligations, ensure that they comply with the transparency principle in the EU General Data Protection Regulation and the UK General Data Protection Regulation (collectively, the "GDPR") and requests from individuals to exercise their rights under the GDPR.
Under the GDPR, controllers must provide individuals with information about the recipients of their personal data, both in privacy notices and in response to data subject access requests ("DSARs"). We examine the legal framework governing this information obligation, recent EU and UK case law, and guidance from data protection authorities on what information controllers need to provide to individuals about the recipients of their personal data.
Privacy Notices
Articles 13(1)(e) and 14(1)(e) of the GDPR require controllers of personal data to provide individuals with information about "the recipients or categories of recipients of the personal data, if any" [emphasis added]. Most organisations provide this information to individuals in their privacy notices. In practice, this information is often provided by reference to the categories of recipients.
The Guidelines on transparency from the Article 29 Working Party (the "Guidelines") suggest that generally the actual (named) recipients should be provided so that individuals know exactly who has their personal data. Where a controller opts to provide the categories of recipients, the Guidelines state that the information should be "as specific as possible by indicating the type of recipient (i.e., by reference to the activities it carries out), the industry, sector and sub-sector and location of the recipients". The Guidelines have been endorsed by the European Data Protection Board (the "EDPB") and apply throughout the European Union.
The Guidelines clarify that "recipients" do not just cover third parties. The privacy notice should provide information about other controllers, joint controllers, and processors to whom personal data is transferred or disclosed by the controller.
Similarly, the UK Information Commissioner's Office (the "ICO") guidance on the right to be informed (which is only applicable in the UK) states that where controllers share personal data, controllers should tell data subjects the names of the organisations or the categories that the recipients fall within. However, the ICO recommends to "be as specific as possible" if only the categories of recipients are disclosed.
In the ICO's previous enforcement decision, the ICO underscored that controllers who decide to provide categories of recipients (rather than named recipients) need to be as specific as possible when identifying recipients of personal data. Generic descriptions such as "business partners" or "analytics providers" did not give data subjects enough information about who was processing their data, where the data was being processed, and what those recipients did with the data.
Responding to DSARs
Article 15 of the GDPR provides individuals with the right to make a DSAR to a controller who processes personal data about them. Under Article 15(1)(c) of the GDPR individuals also have the right to obtain details of "the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations" [emphasis added].
Article 15(4) of the GDPR specifies that the right of access “shall not adversely affect the rights and freedoms of others”.
Furthermore, in the United Kingdom, Paragraph 16 of Schedule 2 of the Data Protection Act 2018 provides that "… obligations provided for in Article 15(1) to (3) [UK GDPR] do not oblige a controller to disclose information to data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from that information". Paragraph 16 further provides that the controller's obligation is not removed if the other individual has consented to the disclosure, or if it is "reasonable" to disclose the information to the data subject without the consent of the other individual.
The courts considered when controllers must provide the names of the recipients of the personal data in response to a DSAR, and when controllers may merely provide a list of the categories of recipients of the personal data.
The Austrian Post case – the EU decision
In RW v Österreichische Post AG, Case C-154/21, the Court of Justice of the European Union decided that unlike Article 13 and 14 of the GDPR, which established an obligation on controllers to disclose "information relating to the categories of recipient or the specific recipients of the personal data concerning [the data subject]" [emphasis added], Article 15 of the GDPR should be interpreted to provide data subjects with a "genuine right of access" meaning the choice of whether the names of specific recipients or merely the categories of recipients is disclosed, is a choice for the data subject.
The Court's reasoning for this interpretation, amongst other reasons, was that data subjects may need to know the names of recipients of their personal data to exercise other rights available to them under the GDPR, namely rights of correction and deletion. This may be particularly relevant where the recipient of the personal data is itself a controller.
The Court accepted that there are exemptions available under the GDPR, and specifically mentioned instances where it may not be possible for the controller to provide the names of specific recipients. For example, where the identity of recipients was not yet known, or where the request was manifestly unfounded or excessive. However, notably it would be for the controller refusing the request to prove that the request met this standard.
This decision applies to controllers and processing subject to the EU GDPR. As the Austrian Post case was decided after the end of the Brexit transition period, it is not directly applicable in the United Kingdom.
Harrison v Cameron – the UK position
The question of the interpretation of Article 15 of the UK GDPR came before the English courts in Harrison v Cameron [2024] EWHC 1377 (KB).
The High Court held that the data subject has a choice of whether it wants names of recipients to be disclosed to them. The judge considered the decision by the EU court in the Austrian Post case and held that although the judgment was not binding on English courts due to the UK's exit from the European Union, the court could "have regard to it" if relevant to the case.
This means that both in the EU and the UK where the data subject requests specific names of recipients to whom the personal data was disclosed, the controller should provide those names unless the controller can show that one of the exemptions under the GDPR applies.
What exceptions may be available to controllers responding to DSARs?
-
Rights of others:
Article 15(4) of the GDPR provides that the right of access "shall not adversely affect the rights and freedoms of others". In the United Kingdom, the exception in Paragraph 16 of Schedule 2 of the Data Protection Act 2018 may also be triggered. If a controller wants to rely on this exception, they need to do a balancing exercise. Notably, this exception may apply where recipients are natural persons, rather than legal entities.In Harrison v Cameron, the High Court upheld the "rights of others" exception, concurring that revealing the identities of the individual recipients to the data subject could infringe those recipients' rights, thus legitimizing the controller's discretion to withhold such information from the data subject who submitted the DSAR. In this case, the controller's provision of recipient categories, rather than individual names, was deemed sufficient to comply with Article 15 of the GDPR. The controller's rationale – that disclosing the recipients' names might expose them to the claimant's threats – was considered a valid exercise of the discretion granted to controllers under Article 15(4) of the GDPR and Paragraph 16 of Schedule 2 of the Data Protection Act 2018 in handling a DSAR.
-
Manifestly unfounded or excessive requests:
Under Article 12(5) of the GDPR, where an individual makes requests that are "manifestly unfounded or excessive, in particular because of their repetitive character", the controller can choose to charge a reasonable fee or refuse to comply. However, establishing that a DSAR is manifestly unfounded or excessive is a high bar and is unlikely to apply when an individual asks for the names of recipients of their personal data as a one-off request. -
Impossibility:
According to Recital 62 of the GDPR, controllers do not need to provide information where it would be "impossible" or "require disproportionate effort". While Recitals do not typically form part of the operative provisions of the GDPR, they are used to clarify the interpretation of operative parts of the GDPR. This suggests that the right to be informed should be subject to it being possible for the controller to provide that information or it being proportionate for them to provide it. In the Austrian Post case, the court gave the example of when the identity of recipients is "not yet known" as a situation where this exception may apply.
Conclusion
The right to know who receives personal data about you is one of the core rights under the GDPR.
While controllers have the option of deciding whether to provide the names of recipients or merely categories of recipients in their privacy notices, data protection authorities will expect controllers to describe the categories as specifically as possible where the controller decides to only provide the categories of recipients in their privacy notice. Businesses should consider if their privacy notices account for these requirements, or if any changes may be necessary to provide additional information to individuals.
Where the individual specifically asks the controller for names of the recipients to whom personal data about them have been disclosed, both the EU and English courts have clarified that they expect controllers to provide the names of the recipients unless one of the limited exemptions applies (in particular, if the recipient is an individual whose rights must also be protected under the GDPR).
This article was prepared with the help of Junaid Ahmed.