DSARs: just when I think I’m out they pull me back in. 

On Thursday, the European Court of Justice’s Advocate General issued an interesting opinion on the right of access — specifically, the information to be provided about the recipients to whom personal data have been sent. 

Art. 15(1)(c) of the GDPR says that the data subject has the right to obtain from the controller information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed…”.  The question for the AG, as referred by the Austrian Supreme Court, is does the right of access require the controller to provide information about the specific recipients, or can the controller provide only information about the categories of recipients with whom the data are shared.  He found for the former interpretation, as follows:

  • Art. 15(1) is drafted ambiguously, leading the AG to find that (1) it wasn’t possible to deduce an order of priority between “recipients” and “categories of recipient”, and (2) the language doesn’t make clear whether it is possible to choose between the two options.  The use of “or” in “recipients or categories of recipient” is clear enough to me; rather, the question is who gets to choose: data subject or controller?  
  • On that point, the AG held that it is for the data subject to choose whether to receive information in a specific or generalised form.  This makes sense, given that — unlike Arts. 13 and 14, which provide obligations on the controller — the right of access gives power to the individual making the request. 
  • The thinking here is twofold: (1) Art 5(1)(a) requires processing to be transparent, of which Art. 15 is fundamental; and (2) the purpose of the access right is to allow the data subject to determine whether their data are being processed lawfully (which includes only being sent to authorised recipients).
  • According to the AG, this interpretation of Art. 15 can be limited where the disclosure of individual recipients in materially impossible (for example, because they identity of the recipients within a category hasn’t yet been determined), and where the request is manifestly unfounded or excessive.  However, those exemptions aren't going to be likely in most cases.

So what does this mean in practice?  Many controllers simply provide their privacy notice to meet the “…and the following information” requirement of Art. 15(1), and it’s often the case that the data subject doesn’t ask for more granular information than is set out in the notice.  The AG makes clear that this approach is permitted (assuming, of course, that the notice does indeed include this information). 

But where the individual asks for specific categories of recipients you will need to be prepared to provide that information — and if you couldn't do that today, it's worth thinking about how you'd address such a request if it landed in your inbox tomorrow.