When personal information is transferred between data controllers the GDPR imposses certain requirements. Among these are information that must be provided to the data subject. As I understand it this is in both the Right to be informed in the case the subject makes a Subject Access Request and Article 14 Information to be provided where personal data have not been obtained from the data subject which applies in all cases, and is frequently discharged by a privacy policy.
How specific does this information need to be?
To take an example the AXA privacy policy has three pages (36 - 38) of very general classes of organisations like "Financial organisations and advisers" and "Our third party services providers such as IT suppliers...".
Suppose someone made a Subject Access Request requesting the controller to
provide a list of all third parties with whom you have (or may have) shared my personal data.
Would the information in the linked document above be sufficient to discharge all the data controllers responsibilities under both the Right to be informed and Article 14?
