Does your organisation document what happens to personal data in its control? Does this include which parties receive or have access to it? If asked by a client, would you be able to confirm exactly who you have shared their information with? If the answer to any of these questions is ‘no’, you have landed on the right blog.
Following a dispute between the Austrian Postal Service and an Austrian citizen, the Court of Justice of the European Union (CJEU) has reached a decision on Case C-154/21 that puts emphasis on:
(1) organisations to be prepared to specify with whom they share individuals’ data; and
(2) distinguishing between rights under Articles 13, 14 and 15.
While this decision directly affects EU-based organisations, the UK GDPR is like its EU counterpart and a similar interpretation may follow suit. It is important to note that, with the progression of the Data Protection and Digital Information (DPDI) Bill, this could mean that some of the existing regulatory requirements change for businesses operating in the UK. The Bill, however, will not be in effect for some time so it is the UK GDPR that they must adhere to.
The individual’s right to be informed
Under Articles 13 and 14 of the UK and EU GDPR, individuals have the right to be informed about what happens with their data. This includes “the recipients or categories of recipients of the personal data.” The right correlates to an organisation’s obligation to comply with the Transparency Principle. Being transparent is important. It enables individuals to make informed decisions and affects their ability to assert their rights when it comes to their data.
The wording in the legislation allows for organisations to choose on whether to:
- individually list the recipients of personal data in their privacy information; or
- list the categories of recipients in a specific manner (e.g., third-party debt collectors).
Categorising recipients in the privacy information may be more effective in cases where there are a vast number of them (e.g., for data brokers) or the nature of their business is unclear. The choice to list the categories, rather than list recipients individually, is not intended as a shortcut to a compliant privacy notice for organisations who do not know the full extent of their data processing activities.
Individuals’ right to access their data
Individuals have the Right of Access (Article 15) under the UK and EU GDPR. This right enables them to:
- Obtain confirmation from a data controller whether they are or are not processing their personal data.
- Access the personal data.
- Further information on the processing of their personal data, including the recipient or categories of recipients.
- Be informed of the appropriate safeguards in place where the data is transferred to a third country.
- A copy of the personal data held.
The above seems to permits organisations to choose the level of transparency when complying with an individual’s Right of Access. However, under the UK and EU GDPR (Recital 63) individuals should “have the right to know and obtain communication in particular with regard to […] the recipients of the personal data.” This means that if your organisation’s privacy information offers the categories of recipients only, when asked by an individual you should identify which parties have received their data. In the above case, the Austrian Postal Service did not elaborate further when asked by the individual but the CJEU decided they should have.
What should my organisation do?
Your first priority should be ensuring your data processing records are up-to-date and accurately reflect the processing activities your organisation undertakes. This includes your Record of Processing Activities (ROPA) and data flow maps. You may have to carry out a data discovery exercise to establish three things – which parties receive personal data, the categories of that data and the context in which they receive it. Once your documentation is accurate and complete, you will be better placed to review the references to recipients within your privacy notice(s).
To determine where one individual’s data has been shared, rather than more broadly which the ROPA would explain, your organisation must ensure it has robust information governance in place. Good records management would facilitate the locating of specific records. For example, through document indexing, ensuring records are correctly tagged to show how they have been processed and shared and also ensuring .
Review your policies that govern how the Right of Access is managed internally. A request where the individual is exercising this right is often referred to as a ‘SAR’ (Subject Access Request).
You should also review the training you provide to your workforce on SARs. Such requests are usually only recognised by a customer-facing employee when the individual is either requesting access to or a copy of their data.