CJEU - C-579/21 - Pankki S

From GDPRhub
Revision as of 12:51, 27 June 2023 by At (talk | contribs)
CJEU - C-579/21 Pankki S
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 15 GDPR
Article 15(1) GDPR
Decided:
Parties: Pankki S
J.M.
Apulaistietosuojavaltuutettu
Case Number/Name: C-579/21 Pankki S
European Case Law Identifier:
Reference from: Itä-Suomen HAO (Administrative Court of Eastern Finland, Finland)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


In principle, Article 15(1) GDPR does not give the data subject a right to obtain information of the identities of the employees, unless that information is essential in order to enable the data subject effectively to exercise its rights, provided that the rights and freedoms of those employees are taken into account.

English Summary

Facts

J.M. (the data subject) - a former employee and a customer - of a bank in Finland (the controller) had learned that his customer data had been accessed by members of the bank’s staff on several occasions in 2013. The data subject had doubts of the lawfulness of those consultations.

In May 2018, the data subject - who had in the meantime been dismissed from his post within the bank - made an access request asking the controller to inform him of i. the identity of the persons who had consulted his customer data, ii. the exact dates and iii. the purposes of those consultations. The controller refused to disclose the identity of the employees who had carried out the consultation operations, on the ground that such information constituted the personal data of those employees. There was a suspicion of a conflict of interests in relation to the data subject which the controller said required processing of the data in question.

The data subject then applied to the Finnish DPA for an order that the controller should provide him with the information requested. The Finnish DPA sided with the controller, and considered, that such log data constituted personal data relating to the employees who processed the data, and rejected the application.

Thereafter, the data subject brought an action against that decision before the Administrative Court of Eastern Finland. The Court referred to the CJEU for a preliminary ruling asking, essentially, whether the log data generated during processing operations, in particular, the identity of the controller’s employees, is covered by Article 15 GDPR, since, those log data might prove necessary to a data subject to assess the lawfulness of the processing of his or her data.

Holding

Firstly, the CJEU found that a data subject has the right under Article 15(1) GDPR to obtain information relating to consultation operations carried out on the data subject’s personal data, and the dates, and purposes of those operations from the controller.

Secondly, the CJEU held that the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) GDPR when they process personal data under the authority of that controller in accordance with its instructions.

However, even though employees are not regarded as recipients, it was noted that by the CJEU that information relating to the persons who have consulted the data subject’s personal data that are contained in the log data, may constitute personal data under Article 4(1) GDPR of the data subject, that enablies the data subject to verify the lawfulness of the processing of his or her data and, in particular, to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.

After stating the above, the CJEU, furhtermore recalled, that the right of access should not adversely affect the rights or freedoms of others. Even if the disclosure of the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing, it is nevertheless liable to infringe the rights and freedoms of those employees. In the event of a conflict between, on the one hand, i. the exercise of an access right and, on the other hand, ii. the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question.

Consequently, the CJEU found that Article 15(1) GDPR does not lay down a rigth to the data subject to obtain the identities of the employees who carried out those operations under the controller's authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights under the GDPR and provided that the rights and freedoms of those employees are taken into account.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!