Right to know who information is disclosed to

On January 12, 2023, the EU Court of Justice ruled on whether the data controller has an obligation to disclose the identity of recipients of personal data in case C-154/21.

The employee had requested access to the personal data concerning them, and if the data had been disclosed to a third party, the employee wanted to know to whom. According to Article 15(1)(c) of the GDPR, the data controller is obligated to provide the data subject with information about the recipients or categories of recipients to whom the personal data have been or will be disclosed, if requested by the data subject. In this case, the company presented categories of recipients such as advertising agencies and IT companies.

The EU Court of Justice clarified that the right of the data subject to access personal data concerning them entails an obligation for the data controller to provide the specific identity of the recipients when the data is or will be disclosed. This is to ensure the data subject's other rights under the data protection regulation, such as the right to verify the accuracy of their data and the lawful processing of the data. The same applies in order to exercise their right to rectification, erasure, or to bring a claim for damages.

It should be noted that the right to protection of personal data is not an absolute right but must be balanced against other rights in society. Therefore, the right to know the identity of the recipient is restricted if it is impossible to identify the specific recipients or if the data subject's request for access is clearly unreasonable or unfounded. In such cases, it is acceptable for the data controller to only inform the data subject about the categories of recipients.

Things to consider

In summary, the ruling states that the data controller is obligated to provide the actual identity of the recipients to the data subject, unless it is impossible to identify them or the data controller can demonstrate that the request is clearly unfounded or unreasonable. When interpreting EU law, the purpose and context of the regulation should be taken into account.

The ruling of the EU Court of Justice further emphasizes the importance of the employer's responsibility in personal data management. In particular, transparency is required, as stated in the ruling. The employer needs to be transparent about how personal data is handled and have full control over the specific recipients to whom the information is disclosed. The employer should also be prepared to provide this information if requested by the employee. This means that employers, as data controllers, should ensure procedures for disclosing personal data.

In summary

  • Be aware of the process: An employment contract establishes the working relationship between employer and employee, and it is important to understand how and when this agreement is made.
  • The data controller is obliged to provide the data subject with the actual identity of the recipients, provided that it is not impossible to identify them or that the request is clearly unfounded or excessive.
  • When interpreting EU law, consideration should be given to the purpose and context of the regulation.
  • The employer has a significant obligation and responsibility in the handling of personal data according to the decision of the EU Court of Justice.
  • A fundamental principle is transparency, where the employer must be open about how the processing of personal data is done and have control over the specific recipients to whom the information is disclosed.
  • The employer should have procedures in place to ensure proper handling and disclosure of personal data upon request from the data subject.

Related articles

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at Alex AB (publ), corporate identity number 559338-7698 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data