The ECJ decided the previously open question of how much detail the employer must provide about the recipients or groups of recipients of the personal data upon request.  

Under Article 15 of the GDPR, the data controller (in the employment context, usually the employer) must provide the data subject (the employee), at the employee’s request, with certain specified information about the personal data it processes. This Data Subject Access Request (DSAR) is a popular instrument for employees. It is often asserted in an employment dispute, especially in connection with termination, to increase the pressure on the employer to settle a case.  

One of the specified matters that must be disclosed in response to a DSAR is ‘the recipients or categories of recipients’ of the subject’s data. It was previously disputed among national courts and legal doctrine if the controller has the right to choose whether to disclose only the categories of recipients or each recipient individually, or if the right to choose belongs instead to the data subject. This question has now been decided by the ECJ in favor of the data subject in its January 2023 Österreichische Post decision. According to this decision, the data subject generally has the right to choose whether he or she wishes to know the recipients individually or only by category.  

In the case, a customer of the Österreichische Post AG (Austrian Post) had requested disclosure of the recipients of his personal data. In response to the request, Austrian Post replied that, to the extent permitted by law, his data had been passed on to business partners for marketing purposes. Austrian Post did not however disclose the identity of any individual recipients of those personal data.  

In the court proceeding, Austrian Post argued that disclosure of only the categories of recipients was compliant with the GDPR, and  the lower courts agreed. However, the Supreme Court in Vienna referred the dispute to the ECJ, which decided the issue in favor of the plaintiff. The result is that data processors from now on do have to disclose not only the categories of recipients, but their actual identity if requested by the data subject.  

In reaching this result, the ECJ referred to the wording, structure, and objective of the GDPR and the legislative history of Article 15. While the wording of the DSAR provision does not make a clear statement as to who gets to choose whether the disclosure must name the individual data recipients or only the categories of recipients, this follows from the fact that the provision is directed at data subjects and is intended to give them a genuine right of access to data stored about them. The court also cited the general objective of the GDPR to create transparency and the right of the data subject to be able to check the lawfulness of the data processing.  

The Österreichische Post decision is of great importance as it increases transparency regarding the processing of personal data. However, it will also entail considerable administrative costs for data controllers, including employers, to prepare for and provide information on each individual recipient of the data (natural person or legal entity). Any template letters used for responding to employee DSARs must be adapted accordingly.  

A ‘recipient of data’ under the GDPR’s definition is any person or legal entity that receives personal data. This includes so-called data processors as well as so-called third parties. Typical examples of (external) data processors in an employment context are:  

• payroll provider;  
• centralized HR department in the group of corporations acting under instruction of and as a service for the employer;  
• external IT service providers; and 
• an external legal advisor working under clear instruction and assignment from the employer.  

Examples of typical third party data recipients in the employment context include:  

• external bodies and authorities (with an exception for prosecuting authorities);  
• health insurance funds;  
• parent companies processing data on their own behalf and in their own interest; and  
• employment agencies.  

The broad term ‘recipient of data’ might also include all subcontractors who were used by the respective processor (so-called ‘further processors’). Accordingly, it is likely also necessary to disclose the identity of all recipients in the ‘service chain’. While this aspect has not yet been decided, providing this information is the safest approach in responding to a DSAR.  

Prior recipients who are no longer current recipients also must be disclosed, as long as personal data of the subject are still being processed by the person responsible (hence, as long as the person responsible has no positive knowledge that the ‘no longer current’ recipient has already deleted the data). 

Hence, one can see at a glance that the list of possible recipients of an employee’s data is long. It will therefore be crucial to clarify and prepare beforehand which recipients of data the employer involves, which processing takes place in which countries, and to record all these recipients (and further information) to have them ready in case of any employee requests. 

Given the impact of this ruling, it is strongly recommended for employers to carefully study the ECJ’s comments on the exceptions to the plaintiff-friendly principle of information on all data recipients. In the ruling, the ECJ stated that data protection is not an absolute right, and that under the principle of proportionality, the subject’s data protection rights must be weighed against the fundamental rights of third parties. The ECJ concluded that if it is impossible to provide more precise information about the recipients, the controller cannot be obliged to do so. This applies, for example, if a specific recipient is not yet known. The controller is also entitled to reject claims for information if they are excessive or abusive.