The Court of Justice of the European Union (the “CJEU”) has held that controllers must inform data subjects of the actual identities of the recipients of data subjects’ personal data when responding to a data subject access request.

Article 15(1)(c) GDPR states that the controller must provide information on the recipients or the categories of recipient to whom personal data have been or will be disclosed.

The CJEU held in Case C-154/21 that the actual identities of recipients should be disclosed except where the data subject elects to request information concerning the categories of recipients only or where the controller can demonstrate that:

• it is impossible to provide the identities of recipients (for example, if the recipients are not yet known); or
• the request is manifestly unfounded or excessive (in particular due to the repetitive nature of the requests from the data subject to the same controller).

This judgment will increase the operational burden on controllers when responding to data subject access requests. From this point on it would be sensible for controllers to create and maintain a list of the recipients that personal data is disclosed to.

“…the data subject must have, in particular, the right to be informed of the identity of the specific recipients where his or her personal data have already been disclosed”

https://curia.europa.eu/juris/document/document.jsf?text=&docid=269146&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2874935