CJEU - C-579/21 - Pankki S
| CJEU - C-579/21 Pankki S | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 15 GDPR Article 15(1) GDPR |
| Decided: | |
| Parties: | Pankki S J.M. Apulaistietosuojavaltuutettu |
| Case Number/Name: | C-579/21 Pankki S |
| European Case Law Identifier: | |
| Reference from: | Administrative Court of Eastern Finland |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | n/a |
The CJEU found that, in principle, Article 15(1) GDPR does not give the data subject a right to obtain information of the identities of the employees who have consulted their personal data, unless that information is essential in order to enable the data subject to exercise its rights, provided that the rights and freedoms of those employees are taken into account.
English Summary
Facts
J.M. (the data subject), a former employee and a customer of a bank in Finland (the controller), had learned that his customer data had been accessed by members of the bank’s staff on several occasions in 2013. The data subject had doubts of the lawfulness of those consultations.
In May 2018, the data subject - who had in the meantime been dismissed from his post within the bank - made an access request asking the controller to inform him of i.) the identity of the persons who had consulted his customer data, ii.) the exact dates and iii.) the purposes of those consultations. The controller refused to disclose the identity of the employees who had carried out the consultation operations, on the ground that such information constituted the personal data of those employees. There was a suspicion of a conflict of interests in relation to the data subject which the controller said required processing of the data in question.
The data subject then applied to the Finnish DPA for an order that the controller should provide him with the information requested. The Finnish DPA sided with the controller and considered that such log data constituted personal data relating to the employees who processed the data and rejected the application.
Thereafter, the data subject brought an action against that decision before the Administrative Court of Eastern Finland. The Court referred to the CJEU for a preliminary ruling asking, essentially whether the log data generated during processing operations, in particular the identity of the controller’s employees, is covered by Article 15 GDPR since those log data might prove necessary to a data subject to assess the lawfulness of the processing of his or her data.
Holding
Firstly, the CJEU found that a data subject has the right under Article 15(1) GDPR to obtain information from the controller relating to consultation operations carried out on the data subject’s personal data and information concerning the dates as well as purposes of those consulting operations.
Secondly, the CJEU held that the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) GDPR when they process personal data under the authority of that controller in accordance with its instructions.
However, even though employees are not regarded as recipients, it was noted that by the CJEU that information relating to the persons who have consulted the data subject’s personal data that are contained in the log data may constitute personal data under Article 4(1) GDPR of the data subject, that enables the data subject to verify the lawfulness of the processing of his or her data and in particular to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.
After stating the above, the CJEU, furthermore recalled that the right of access should not adversely affect the rights or freedoms of others. Even if the disclosure of the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing, it is nevertheless liable to infringe the rights and freedoms of those employees. In the event of a conflict between, on the one hand, i.) the exercise of an access right and, on the other hand, ii.) the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question.
Consequently, the CJEU found that Article 15(1) GDPR does not lay down a right to the data subject to obtain the identities of the employees who carried out the consultation operations under the controller's authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights under the GDPR and provided that the rights and freedoms of those employees are taken into account.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
