Privacy policy: How to specify data recipients?

Time and again, the GDPR gives new reasons to argue about the proper execution of data protection. For example, there is still disagreement about how specifically to specify data recipients in a privacy statement.

Learn here what the opinions are and how best to address the issue in your privacy policy.

What does the GDPR say about naming data recipients?

The GDPR stipulates in Art. 13 I lit. e and in Art. 14 I lit. e that the data subject must be informed of "the recipients or categories of recipients of the personal data". The word "or" causes problems here, as it suggests that the controller can choose whether to specify "processor pursuant to Art. 28 GDPR" or "company xy" as recipients, for example. In fact, however, there is disagreement among data protection experts as to whether the controller is free to choose here. Above all, it is questionable to what extent the transparency requirement forces the controller to name a specific recipient.

How do supervisory authorities interpret the GDPR here?

Even among data protection supervisory authorities, there is disagreement about the interpretation of these provisions.

The Hessian Commissioner for Data Protection and Freedom of Information interprets the regulations restrictively. Data recipients would have to be named as specifically as possible, especially in the healthcare sector. The authority thus decides in favor of transparency and rejects the controller's free choice in naming recipients.

The State Commissioner for Data Protection in Lower Saxony does not specify the interpretation. This gives the impression that the controller's free choice is being advocated. The same impression is given by the Data Protection Conference (DSK), which only repeats the wording of the law in a short paper.

How else are the regulations interpreted?

The former Article 29 Working Party has also taken a position. In a guideline they drafted, the group advocates the greatest possible transparency, but against an unconditional requirement for specific naming. Instead, the group only recommends that the information be formulated "as precisely as possible.

How should you specify data recipients in practice?

As a data controller, the safest way to drive is to follow the strictest view. In this case, this means always naming the data recipients specifically. The information is then as transparent as possible.

If, in an individual case, the responsible party does specify only one category of recipient, it is advisable to formulate this specification as specifically as possible.

Do you need assistance with the wording of your privacy policy? Contact here our team of experts. We will be happy to help you!