CJEU - C-579/21 - Pankki S

From GDPRhub
Revision as of 07:34, 27 June 2023 by At (talk | contribs)
CJEU - C-579/21 Pankki S
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 15 GDPR
Article 15(1) GDPR
Decided:
Parties: Pankki S
J.M.
Apulaistietosuojavaltuutettu
Case Number/Name: C-579/21 Pankki S
European Case Law Identifier:
Reference from: Itä-Suomen HAO (Administrative Court of Eastern Finland, Finland)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


[to be updated]

English Summary

Facts

J.M. (the data subject) - a former employee and a customer - of a bank in Finland (the controller) had learned that his customer data had been accessed by members of the bank’s staff on several occasions in 2013. The data subject had doubts of the lawfulness of those consultations. The employees who accessed the data, did so, under the authority of the controller and in accordance with its instructions.

In May 2018, the data subject - who had in the meantime been dismissed from his post within the bank - made an access request asking the controller to inform him of the i. identity of the persons who had consulted his customer data, the ii. exact dates and the iii. purposes of those consultations. The controller refused to disclose the identity of the employees who had carried out the consultation operations, on the ground that such information constituted the personal data of those employees.

The data subject then applied to the Finnish DPA for an order that the controller should provide him with the information requested. The Finnish DPA considered that such log data constituted personal data relating to the employees who processed the data and not to the person concerned, and rejected the application.

Thereafter, the data subject brought an action against that decision before the Administrative Court of Eastern Finland (Itä-Suomen Hallinto-oikeus). The Court referred to the CJEU for a preliminary ruling and, essentially, asked whether the log data generated during processing operations, in particular, the identity of the controller’s employees, is covered by Article 15 GDPR, since, those log data might prove necessary to a data subject to assess the lawfulness of the processing of his or her data.

Holding

Firstly, as the data subject’s access request concerned processing operations that occurred before the GDPR became applicable, the CJEU established that Article 15 GDPR is applicable to an access request made after GDPR became applicable where the processing operations which that request concerns were carried out before the GDPR became applicable.

Secondly, it was recalled and further reinforced by the CJEU that interpretation of a provision of EU law requires also teleological interpretation. Therefore, also the context, objectives and purpose pursued by the act of which a provision forms part, must be taken into account. Following a contextual analysis, the CJEU found, that Article 15(1) GDPR intends to ensure the transparency of the manner in which personal data are processed in relation to the data subject.

Thirdly, it was confirmed that the broad definition of the concept of ‘personal data’ enshrined in Article 4(1) GDPR includes all information resulting from the processing of personal data. Moreover, that the EU legislature intended to give the concept of ‘processing’ enshrined in Article 4(2) GDPR a broad scope which also covers the consultation of personal data. The CJEU held that Article 15(1) GDPR means that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller.

Fourthly, the CJEU found that the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) GDPR when they process personal data under the authority of that controller in accordance with its instructions. However, information contained in the log data relating to the persons who have consulted the data subject’s personal data, may constitute personal data capable of enabling a data subject to verify the lawfulness of the processing of his or her data and, in particular, to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.

After stating the above, the CJEU recalled that the right of access should not adversely affect the rights or freedoms of others. Even if the disclosure of the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing, it is nevertheless liable to infringe the rights and freedoms of those employees. In the event of a conflict between, on the one hand, i. the exercise of an access right and, on the other hand, ii. the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question.

Consequently, the CJEU found that Article 15(1) GDPR does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights under the GDPR and provided that the rights and freedoms of those employees are taken into account.

Lastly, the fact that the data subject - whose personal data was processed in his capacity of a customer – was also a former employee of the controller, in principle, has no effect on the scope of the access right provided by Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!