The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The introduction of the regulation resulted in increased requirements for the handling of personal data. In an employment relationship, personal data is often processed. Therefore, it is important for the employer to be aware of their obligations and how personal data should be handled. During the spring of 2023, the EU Court of Justice has dealt with cases concerning the processing of personal data in employment relationships. Below, a case will be presented that addresses the information that the employer, as the data controller, is obligated to provide upon request by the employee.
On January 12, 2023, the EU Court of Justice ruled on whether the data controller has an obligation to disclose the identity of recipients of personal data in case C-154/21.
The employee had requested access to the personal data concerning them, and if the data had been disclosed to a third party, the employee wanted to know to whom. According to Article 15(1)(c) of the GDPR, the data controller is obligated to provide the data subject with information about the recipients or categories of recipients to whom the personal data have been or will be disclosed, if requested by the data subject. In this case, the company presented categories of recipients such as advertising agencies and IT companies.
The EU Court of Justice clarified that the right of the data subject to access personal data concerning them entails an obligation for the data controller to provide the specific identity of the recipients when the data is or will be disclosed. This is to ensure the data subject's other rights under the data protection regulation, such as the right to verify the accuracy of their data and the lawful processing of the data. The same applies in order to exercise their right to rectification, erasure, or to bring a claim for damages.
It should be noted that the right to protection of personal data is not an absolute right but must be balanced against other rights in society. Therefore, the right to know the identity of the recipient is restricted if it is impossible to identify the specific recipients or if the data subject's request for access is clearly unreasonable or unfounded. In such cases, it is acceptable for the data controller to only inform the data subject about the categories of recipients.
In summary, the ruling states that the data controller is obligated to provide the actual identity of the recipients to the data subject, unless it is impossible to identify them or the data controller can demonstrate that the request is clearly unfounded or unreasonable. When interpreting EU law, the purpose and context of the regulation should be taken into account.
The ruling of the EU Court of Justice further emphasizes the importance of the employer's responsibility in personal data management. In particular, transparency is required, as stated in the ruling. The employer needs to be transparent about how personal data is handled and have full control over the specific recipients to whom the information is disclosed. The employer should also be prepared to provide this information if requested by the employee. This means that employers, as data controllers, should ensure procedures for disclosing personal data.