CJEU - C-579/21 - Pankki S: Difference between revisions

From GDPRhub
(Created page with "{{CJEUdecisionBOX |Case_Number_Name=C-579/21 Pankki S |ECLI= |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=274867&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1280517 |Date_Decided= |Year= |GDPR_Article_1=Article 4(1) GDPR |GDPR_Article_Link_1=Article 4 GDPR#1 |GDPR_Article_2=Article 4(2) GDPR |GDPR_Article_Link_2=Article 4 GDPR#2 |GDPR_Article_3=Article 15 GDPR |GDPR_Article_Link_3=Article 15 GDPR |GDPR_A...")
 
No edit summary
 
(13 intermediate revisions by 3 users not shown)
Line 44: Line 44:
|Party_Link_5=
|Party_Link_5=


|Reference_Body=Itä-Suomen HAO (Administrative Court of Eastern Finland, Finland)
|Reference_Body=Administrative Court of Eastern Finland
|Reference_Case_Number_Name=
|Reference_Case_Number_Name=


Line 51: Line 51:
}}
}}


[to be updated]
The CJEU found that, in principle, [[Article 15 GDPR|Article 15(1) GDPR]] does not give the data subject a right to obtain information of the identities of the employees who have consulted their personal data, unless that information is essential in order to enable the data subject to exercise its rights, provided that the rights and freedoms of those employees are taken into account.


==English Summary==
==English Summary==


=== Facts ===
=== Facts ===
J.M. (the data subject) a former employee and a customer - of a banking institution in Finland (the controller) had learned that his own customer data had been accessed by members of the bank’s staff on several occasions in 2013. This led him to doubting the lawfulness of those consultations. The employees who accessed the data did so under the authority of the controller and in accordance with the controller’s instructions.
J.M. (the data subject), a former employee and a customer of a bank in Finland (the controller), had learned that his customer data had been accessed by members of the bank’s staff on several occasions in 2013. The data subject had doubts of the lawfulness of those consultations.
In May 2018, the data subject made an access request to the controller asking to inform him of the identity of the persons who had consulted his customer data, the exact dates and the purposes of those consultations. The controller refused to disclose the identity of the employees who had carried out the consultation operations on the ground that such information constituted the personal data of those employees.
 
The data subject then applied to the Finnish DPA for an order that the controller should provide him with the information requested. The Finnish DPA agreed with the controller’s interpretation by considering that such log data constituted personal data relating not to the person concerned but to the employees who processed the data of that person and rejected the application.
In May 2018, the data subject - who had in the meantime been dismissed from his post within the bank - made an access request asking the controller to inform him of i.) the identity of the persons who had consulted his customer data, ii.) the exact dates and iii.) the purposes of those consultations. The controller refused to disclose the identity of the employees who had carried out the consultation operations, on the ground that such information constituted the personal data of those employees. There was a suspicion of a conflict of interests in relation to the data subject which the controller said required processing of the data in question.
Thereafter, the data subject brought an action against that decision before the Administrative Court of Eastern Finland (Itä-Suomen Hallinto-oikeus). The Court referred to the CJEU for a preliminary ruling. Essentially, the Court asked whether the log data generated during processing operations, in particular, the identity of the controller’s employees, is covered by [[Article 15 GDPR|Article 15 GDPR]], since those log data might prove necessary to the data subject for the purposes of assessing the lawfulness of the processing of his or her data.
 
The data subject then applied to the Finnish DPA for an order that the controller should provide him with the information requested. The Finnish DPA sided with the controller and considered that such log data constituted personal data relating to the employees who processed the data and rejected the application.
 
Thereafter, the data subject brought an action against that decision before the Administrative Court of Eastern Finland. The Court referred to the CJEU for a preliminary ruling asking, essentially whether the log data generated during processing operations, in particular the identity of the controller’s employees, is covered by [[Article 15 GDPR]] since those log data might prove necessary to a data subject to assess the lawfulness of the processing of his or her data.


=== Holding ===
=== Holding ===
Firstly, as the data subject’s access request concerned processing operations that occurred before the GDPR became applicable, the CJEU established that [[Article 15 GDPR|Article 15 GDPR]], read in the light of [[Article 99 GDPR#2|Article 99(2) GDPR]] is applicable to an access request where the processing operations which that request concerns were carried out before the date on which the GDPR became applicable, but the request was submitted after that date.
Firstly, the CJEU found that a data subject has the right under [[Article 15 GDPR|Article 15(1) GDPR]] to obtain information from the controller relating to consultation operations carried out on the data subject’s personal data and information concerning the dates as well as purposes of those consulting operations.
Secondly, it was recalled and further reinforced by the CJEU that interpretation of a provision of EU law requires also teleological interpretation. Therefore, also the context, objectives and purpose pursued by the act of which a provision forms part, must be taken into account. Essentially, following a contextual analysis, it was found, that [[Article 15 GDPR#1|Article 15(1) GDPR]] intends to ensure the transparency of the manner in which personal data are processed in relation to the data subject.
 
Thirdly, as has been held in previous EU case law (Österreichische Datenschutzbehörde and CRIF, C‑487/21), the CJEU found that the broad definition of the concept of ‘personal data’ enshrined in Art. 4(1) GDPR includes all information resulting from the processing of personal data relating to an identified or identifiable person. Moreover, the CJEU held that the EU legislature intended to give the concept of ‘processing’ enshrined in Art. 4(2) GDPR a broad scope which also covers the consultation of personal data.  
Secondly, the CJEU held that the employees of the controller cannot be regarded as being ‘''recipients''’, within the meaning of [[Article 15 GDPR|Article 15(1)(c) GDPR]] when they process personal data under the authority of that controller in accordance with its instructions.
Fourthly, the CJEU held that the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Art. 15(1)(c) GDPR when they process personal data under the authority of that controller in accordance with its instructions. However, information contained in log data relating to the persons who have consulted the data subject’s personal data, could constitute personal data capable of enabling a data subject to verify the lawfulness of the processing of his or her data and, in particular, to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.
 
After stating the above, the CJEU recalled that, as regards the right of access, that right should not adversely affect the rights or freedoms of others. Even if the disclosure of the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing, it is nevertheless liable to infringe the rights and freedoms of those employees. In the event of a conflict between, on the one hand, the exercise of an access right and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question.  
However, even though employees are not regarded as recipients, it was noted that by the CJEU that information relating to the persons who have consulted the data subject’s personal data that are contained in the log data may constitute personal data under [[Article 4 GDPR|Article 4(1) GDPR]] of the data subject, that enables the data subject to verify the lawfulness of the processing of his or her data and in particular to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.
Eventually, the CJEU found that [[Article 15 GDPR#1|Article 15(1) GDPR]] must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain. On the other hand, Art. 15(1) GDPR does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account.
 
Lastly, with regard to the fact that the data subject - whose personal data was processed in his capacity of a customer of the controller – was also a former employee of the controller, in principle, the CJEU found to have no effect on the scope of the access right provided in [[Article 15 GDPR|Article 15 GDPR]].
After stating the above, the CJEU, furthermore recalled that the right of access should not ''adversely affect the rights or freedoms of others''. Even if the disclosure of the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing, it is nevertheless liable to infringe the rights and freedoms of those employees. In the event of a conflict between, on the one hand, i.) the exercise of an access right and, on the other hand, ii.) the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question.  
 
Consequently, the CJEU found that [[Article 15 GDPR|Article 15(1) GDPR]] does not lay down a right to the data subject to obtain the identities of the employees who carried out the consultation operations under the controller's authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights under the GDPR and provided that the rights and freedoms of those employees are taken into account.  


== Comment ==
== Comment ==

Latest revision as of 12:56, 28 June 2023

CJEU - C-579/21 Pankki S
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 15 GDPR
Article 15(1) GDPR
Decided:
Parties: Pankki S
J.M.
Apulaistietosuojavaltuutettu
Case Number/Name: C-579/21 Pankki S
European Case Law Identifier:
Reference from: Administrative Court of Eastern Finland
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

The CJEU found that, in principle, Article 15(1) GDPR does not give the data subject a right to obtain information of the identities of the employees who have consulted their personal data, unless that information is essential in order to enable the data subject to exercise its rights, provided that the rights and freedoms of those employees are taken into account.

English Summary

Facts

J.M. (the data subject), a former employee and a customer of a bank in Finland (the controller), had learned that his customer data had been accessed by members of the bank’s staff on several occasions in 2013. The data subject had doubts of the lawfulness of those consultations.

In May 2018, the data subject - who had in the meantime been dismissed from his post within the bank - made an access request asking the controller to inform him of i.) the identity of the persons who had consulted his customer data, ii.) the exact dates and iii.) the purposes of those consultations. The controller refused to disclose the identity of the employees who had carried out the consultation operations, on the ground that such information constituted the personal data of those employees. There was a suspicion of a conflict of interests in relation to the data subject which the controller said required processing of the data in question.

The data subject then applied to the Finnish DPA for an order that the controller should provide him with the information requested. The Finnish DPA sided with the controller and considered that such log data constituted personal data relating to the employees who processed the data and rejected the application.

Thereafter, the data subject brought an action against that decision before the Administrative Court of Eastern Finland. The Court referred to the CJEU for a preliminary ruling asking, essentially whether the log data generated during processing operations, in particular the identity of the controller’s employees, is covered by Article 15 GDPR since those log data might prove necessary to a data subject to assess the lawfulness of the processing of his or her data.

Holding

Firstly, the CJEU found that a data subject has the right under Article 15(1) GDPR to obtain information from the controller relating to consultation operations carried out on the data subject’s personal data and information concerning the dates as well as purposes of those consulting operations.

Secondly, the CJEU held that the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) GDPR when they process personal data under the authority of that controller in accordance with its instructions.

However, even though employees are not regarded as recipients, it was noted that by the CJEU that information relating to the persons who have consulted the data subject’s personal data that are contained in the log data may constitute personal data under Article 4(1) GDPR of the data subject, that enables the data subject to verify the lawfulness of the processing of his or her data and in particular to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.

After stating the above, the CJEU, furthermore recalled that the right of access should not adversely affect the rights or freedoms of others. Even if the disclosure of the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing, it is nevertheless liable to infringe the rights and freedoms of those employees. In the event of a conflict between, on the one hand, i.) the exercise of an access right and, on the other hand, ii.) the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question.

Consequently, the CJEU found that Article 15(1) GDPR does not lay down a right to the data subject to obtain the identities of the employees who carried out the consultation operations under the controller's authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights under the GDPR and provided that the rights and freedoms of those employees are taken into account.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-579/21_-_Pankki_S&oldid=33770"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki