Data Subject Access Request with identity of recipient

Every person has the right to know to whom his or her personal data have been disclosed.

A citizen requested Österreichische Post, the principal operator of postal and logistical services in Austria, to disclose to him the identity of the recipients to whom it had disclosed his personal data. The post gave petitioner only the categories of recipients (e.g. IT companies, mailing list providers).

Where personal data have been or will be disclosed to recipients, there is an obligation on the part of the controller to provide the data subject, on request, with the actual identity of those recipients. It is only where it is not (yet) possible to identify those recipients that the controller may indicate only the categories of recipient in question. That is also the case where the controller demonstrates that the request is manifestly unfounded or excessive.

Read more about this topic at: InfoCuria

Previous Post

€390M GDPR fine for Meta with data-fueled business model without legal basis

Next Post

Zero-day vulnerablity in FortiOS SSL VPN

Related Posts