Article 15(1)(c) of the GDPR gives data subjects the right to obtain information from a controller on “the recipients or categories of recipients to whom the personal data have been or will be disclosed.” A common practice has been to list the recipients only on a category level in privacy notices and provide this information to the data subject upon request. However, many controllers were shocked after the Court of Justice of the EU (the “CJEU”) published its decision in case C-154/21, addressing that the controllers must provide data subjects with the actual identities of recipients, if so requested. According to the CJEU, this right enables data subjects to verify that their personal data are processed in a lawful manner.
While controllers must disclose recipients' identities, a few exemptions apply. First, a controller can refuse to act on data subject’s request if the controller can demonstrate such request is ‘manifestly unfounded’ or ‘excessive’. Secondly, the CJEU confirmed that the right of access may be restricted, if ‘it is impossible to disclose the identity of specific recipients’ (for example, where the recipients are not yet known). Lack of documentation is not likely a valid reason to rely on these exceptions.
Good documentation comes in handy not only to demonstrate your compliance with the supervisory authorities but also to respond to data subjects’ requests with correct information.
Many organisations keep documentation on their 3rd parties or recipients as a general list, but only a few can actually demonstrate what data is/was disclosed to which recipient. More importantly, many controllers process data from multiple data subject categories which means that not all data subject categories’ data is disclosed to all recipients.
The CJEU decision can be aan excellent exercise to review your accountability documentation and see, whether you could respond to a request from a long-term customer or an employee, asking “To whom have you disclosed my personal data?”. A simple list of all the 3rd parties might not be enough to respond correctly.
PrivacyDesigner was built to help data protection officers and other privacy professionals to gain throughout understanding of their organisations’ processing activities. This understanding is crucial to identify the risks and also having more robust documentation. Typically organisations will have multiple data sources where they collect personal data from different data subject categories. With PrivacyDesigner you can visualize your processing activities to understand better the complexity of your organisation’s data processing activities.
The bigger the organisation is, the need to divide data subject categories from the traditional customer, employee and business partners categorisation into more detailed grows. PrivacyDesigner allows you to document very detailed categories and see where their personal data end up (and also to which recipients).
Try PrivacyDesigner out for yourself. Book a demo now and see how it can transform the way you approach privacy compliance. With a clear, visual representation of your data flows, you'll be able to identify risks and opportunities, and respond to different requests with accurate information.