Last month, the European Court of Justice gave a ruling that clarifies the way organisations should interpret individuals’ right of access under the GDPR (General Data Protection Regulation).
The ruling stated that when submitting a DSAR (data subject access request), individuals are permitted to request:
- The identify of each organisation that have received, or will receive, the individuals’ personal data; or
- The categories of organisations that will be given access to that information.
By ‘category of organisation’, the GDPR refers to the type of business being conducted – such as a supplier, credit reference agency or government department.
According to the European Court of Justice, this interpretation of the GDPR is in line with the Regulation’s principle of transparency. It added that it’s essential that organisations provide this information, because it influences individuals’ judgement regarding other rights – in particular, the right of rectification, erasure and restriction.
The interpretation is supported by Article 19 of the GDPR, which – in the context of those rights – grants data subjects the right to receive the name of each organisation that receives the individuals’ personal data.
The ruling states that organisations must comply with the data subject’s rights, unless it’s impossible to identify those recipients (e.g. because they are not yet known), or if the request is “manifestly unfounded or excessive”.
What are the ramifications of this?
To understand what this ruling means, we must look at it within the context of the DSAR process.
When an individual submits a request, organisations are required to provide certain information. This includes confirmation that the individual’s personal information is being processed, copies of the personal information the organisation stores, and the lawful basis that was used to collect that information.
Organisations must also provide an estimated period for which the information will be stored, any relevant information about how the data was obtained, information about automated decision-making and – as we’ve explained – the names or categories of any third parties that the information has been shared with.
The Court’s ruling makes it clear that organisations must provide either specific names or categories of organisation based on the individual’s request.
As such, organisations must be careful when receiving DSARs, ensuring that they provide comprehensive and the correct details.
Although the European Court of Justice hasn’t stated explicitly, the ruling appears to apply only to DSARs and not other instances in the GDPR where organisations are required to outline the recipients or categories of recipients.
This is the case in Article 13 and 14, which relate to the initial processing of personal data, with Article 13 dealing with information collected directly from the data subject and Article 14 with information collected from third parties.
Need more GDPR compliance advice?
If you want more guidance on how this ruling affects your organisation, our team of experts can help.
IT Governance is a leading global provider of information security, risk management and compliance solutions. We advise organisations around the world on critical issues, and present cost-saving and risk-reducing solutions based on international best practice.
Whether you’re looking for a little help understanding your GDPR compliance requirements or you’d like a dedicated consultant, we offer a range of services that can be tailored to your needs.