On January 12, 2023, the Court of Justice of the European Union (CJEU) declared that under the General Data Protection Regulation (GDPR), an individual has the right to request the identity of each entity to whom the data controller has disclosed their personal data. Unless it is impossible to determine exactly who these entities are, or if the controller can prove that this request is “manifestly unfounded or excessive,” they must comply with the consumer’s wishes.
This decision is in line with the principle of transparency laid out in the GDPR. It grants individuals the capacity to exercise further rights, such as rectification, deletion, and objection. Article 19 GDPR also ensures that when a person exercises these rights, they may receive from the controller a list of all recipients of said personal data.
The conclusion of the Court holds only for a right of access; it remains unknown whether it applies to similar provisions in Articles 13 and 14 GDPR that mention both “recipients and categories of recipients”.