In the event that personal data processed by a trader is provided to another person, the trader as the so-called controller should fulfil its information obligation towards data subjects in respect of this fact. This applies not only to situations where personal data is provided to another controller (who will subsequently process such personal data independently on their own responsibility independently of the trader), but also to cases where personal data is made accessible to so-called processors, that is, a person who processes personal data for the trader (for example, hosting companies, software companies ensuring the operation of an e-shop for the trader, etc.). We shall examine more closely in this legal circular how this information obligation is to be fulfilled in practice. However, for the avoidance of all doubt, we prefer to mention at the outset that we are addressing this issue for those cases where the provision of personal data takes place within the European Union (and not to a third country outside the EU).

Article 13(1)(e) GDPR provides that “Where personal data… are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with the following information: the recipients or categories of recipients of the personal data;…” This provision addresses those cases where personal data are obtained directly from data subjects, for example, customers fill in a form on a website, users subscribe to a newsletter, potential employees provide a curriculum vitae. However, the situation where personal data are obtained by the trader from another controller is addressed similarly. At the time of collecting personal data, the trader should therefore inform the data subject to whom else their personal data will be transferred. From the above it also appears that this information obligation should be possible to fulfil either by stating the precise identification of the recipients of personal data, or by stating the “categories” of such recipients. In this second case, this means, for example, generally stating that the recipients of personal data will be forwarding companies or a company engaged in direct marketing for the trader, etc.

However, in addition to the above-mentioned information obligation of the trader when collecting personal data, the GDPR also establishes the right of the data subject to access personal data (Article 15 GDPR). Specifically, Article 15(1)(c) GDPR provides that “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries…” The scope of this right recently became the subject of interpretation by the Court of Justice of the European Union in Case C-154/21 RW v Österreichische Post. The substance of the court dispute was the data subject’s request to obtain information on the specific identity of the recipients to whom the controller discloses the data subject’s personal data. However, the controller (Österreichische Post) did not communicate the precise identity of the recipients, but informed the data subject only of the categories of such recipients. The Court in this case inclined towards a stricter interpretation in favour of the data subject, holding that Article 15(1) GDPR gives the data subject the right to be informed of the specific recipients of personal data, that is, to know the actual identity of such recipients (except for certain specific exceptions, which the Court did not, however, define in any way).

In this connection with the above-mentioned judgment, it must be mentioned that the CJEU in this case dealt with the interpretation only of the provision governing the right of access to personal data (Article 15), that is, the scope of information provided at the request of the data subject, and not with the interpretation of Articles 13 and 14 GDPR regarding the scope of “preliminary” information provided (about other recipients of personal data). Having regard to the above, it appears to us that traders should still be able to fulfil the preliminary information obligation by stating “only” the categories of recipients and not their precise list. Otherwise, the reference to categories of recipients within the GDPR would actually make no sense. On the other hand, however, it is necessary to recall the efforts of public authorities towards an ever stricter interpretation of the provisions of the GDPR.

Josef Aujezdský

This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular no. 06/2023 intended for members of this association.

This text was translated from Czech to English using an AI translator.