The CJEU has established that where personal data have been or are to be disclosed to recipients, the controller has the obligation to provide the data subject, upon request, with the identity of those recipients.
If it is not possible to identify these recipients or if the request is manifestly unfounded or excessive, the controller may limit itself to indicating only the categories of recipients concerned. The burden of proving that the request is manifestly unfounded or excessive shall lie with the operator.
The CJEU has held that the way in which personal data is processed must be transparent, which means that the information provided to the data subject must be as accurate as possible.
However, it may be accepted that in certain circumstances it is not possible to provide information on specific recipients. Therefore, the right of access may be limited to information on categories of recipients if it is not possible to disclose the identity of the specific recipients, in particular if they are not yet known.
(link)
