The European Court of Justice has ruled that personal data buyers must be disclosed to data subjects.

The European Court of Justice has ruled that companies must disclose buyers of personal data. This ruling follows the ICO’s Code of Practice on Data Sharing. Under this code, an organization that has shared personal data must provide information about the buyer to the data subject upon request. This includes details of other organizations that have been given access to the data and why this was done. Under the GDPR, companies must disclose information on the recipients or categories of recipients of personal data. This may include the names of third parties who have accessed the data and how long they have been given access. The court also noted that it is nor necessary for data subjects to first exhaust local remedies before seeking redress from a dispute resolution body.

Every individual has the right to know to whom their data have been disclosed.

The right to access personal data means that individuals have a right to see the personal data held about them by companies. Companies that collect or process personal data must provide access within one month of receiving an individual’s request. The decision from the European Court of Justice makes it clear that the response to access requests need to include information about personal data buyers. 

Under the GDPR, EU citizens have the right to be forgotten

The right to be forgotten exists under the GDPR and protects individuals when it comes to the processing of their personal data. The GDPR allows an individual to ask a controller for specific personal information of theirs to be removed from its database. Individuals now have the means to exercise this right with the purchasers of their personal data as well. This ruling will relieve many data subjects who’ve felt powerless to understand how their personal information is being used. It can also be beneficial in the case of organizations that have shared personal data in the past, as they will need to identify any information buyers and provide them with details about this.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.