On 12 January 2023, the Court of Justice of the European Union ruled that individuals have the right to know to whom their personal data has been disclosed, unless the controller can demonstrate that it is impossible to identify the recipients or that the request is manifestly unfounded or excessive. Controllers must be able to provide information on the actual identity of all individuals and organizations to whom personal data is disclosed. This can be done for example, by maintaining up-to-date records on the sharing of personal data or by any other (technical) means.
Author
Florence D'Ath
BrowsingFlorence D'Ath is senior associate and head of the IPTech Practice Group in Luxembourg. Florence has more than eight years of experience in advising clients and representing them in court or in other proceedings. Prior to joining Baker McKenzie, Florence was a member of the Litigation and Risk Management Department of a leading Benelux law firm in Brussels and Luxembourg. She holds a doctorate in data protection law and regularly publishes academic articles in that field. She teaches EU law and data protection law at the University of Luxembourg and provides advanced training courses in commercial, IP/IT and regulatory law for both the private and public sector.