CJEU - C-579/21 - Pankki S
CJEU - C-579/21 Pankki S | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 15 GDPR Article 15(1) GDPR |
Decided: | |
Parties: | Pankki S J.M. Apulaistietosuojavaltuutettu |
Case Number/Name: | C-579/21 Pankki S |
European Case Law Identifier: | |
Reference from: | Itä-Suomen HAO (Administrative Court of Eastern Finland, Finland) |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | n/a |
[to be updated]
English Summary
Facts
J.M. (the data subject) - a former employee and a customer - of a banking institution in Finland (the controller) had learned that his customer data had been accessed by members of the bank’s staff on several occasions in 2013. This led the data subject to doubt the lawfulness of those consultations. The employees who accessed the data, did so, under the authority of the controller and in accordance with its instructions.
In May 2018, the data subject made an access request to the controller asking to inform him of the i. identity of the persons who had consulted his customer data, the ii. exact dates and the iii. purposes of those consultations. The controller refused to disclose the identity of the employees who had carried out the consultation operations, on the ground that such information constituted the personal data of those employees.
The data subject then applied to the Finnish DPA for an order that the controller should provide him with the information requested. The Finnish DPA agreed with the controller’s interpretation by considering that such log data constituted personal data relating to the employees who processed the data and not to the person concerned and rejected the application.
Thereafter, the data subject brought an action against that decision before the Administrative Court of Eastern Finland (Itä-Suomen Hallinto-oikeus). The Court referred to the CJEU for a preliminary ruling and, essentially, asked whether the log data generated during processing operations, in particular, the identity of the controller’s employees, is covered by Article 15 GDPR, since, those log data might prove necessary to the data subject for the purposes of assessing the lawfulness of the processing of his or her data.
Holding
Firstly, as the data subject’s access request concerned processing operations that occurred before the GDPR became applicable, the CJEU established that Article 15 GDPR, read in the light of Article 99(2) GDPR, is applicable to an access request where the processing operations which that request concerns were carried out before the date on which the GDPR became applicable, but the request was submitted after that date.
Secondly, it was recalled and further reinforced by the CJEU that interpretation of a provision of EU law requires also teleological interpretation. Therefore, also the context, objectives and purpose pursued by the act of which a provision forms part, must be taken into account. Following a contextual analysis, it was found, that Article 15(1) GDPR intends to ensure the transparency of the manner in which personal data are processed in relation to the data subject.
Thirdly, as has already been held in EU case law (Österreichische Datenschutzbehörde and CRIF, C‑487/21), the CJEU found that the broad definition of the concept of ‘personal data’ enshrined in Art. 4(1) GDPR includes all information also resulting from the processing of personal data. Moreover, the CJEU held that the EU legislature intended to give the concept of ‘processing’ enshrined in Art. 4(2) GDPR a broad scope which also covers the consultation of the personal data.
Fourthly, the CJEU found that the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Art. 15(1)(c) GDPR when they process personal data under the authority of that controller in accordance with its instructions. However, information contained in the log data relating to the persons who have consulted the data subject’s personal data, may constitute personal data capable of enabling a data subject to verify the lawfulness of the processing of his or her data and, in particular, to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.
After stating the above, the CJEU recalled that the right of access should not adversely affect the rights or freedoms of others. Even if the disclosure of the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing, it is nevertheless liable to infringe the rights and freedoms of those employees. In the event of a conflict between, on the one hand, i. the exercise of an access right and, on the other hand, ii. the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question.
Eventually, the CJEU found that Article 15(1) GDPR must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain. On the other hand, Art. 15(1) GDPR does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights under the GDPR and provided that the rights and freedoms of those employees are taken into account.
Lastly, the CJEU found the fact that the data subject - whose personal data was processed in his capacity of a customer – was also a former employee of the controller, in principle, to have no effect on the scope of the access right provided in Article 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!