CJEU judgement on the scope of the Right of Access
The European Court determines that an individual has the right to information regarding the data consultations (such as the date and purposes), but that the individual does not (automatically) have the right to know the identity of the employees who accessed the data.
CJEU judgement on the scope of the Right of Access
In a recent judgment on June 22, 2023, the European Court of Justice (CJEU) once again examines the right of access to personal data. The Court addresses whether an individual has the right to information about the "consultations" of his personal data by employees, including details such as the date and purposes of these consultations, as well as whether the individual has the right to know the identity of those who carried out the consultations.
Facts
Between November 1 and December 31, 2013, the customer data of the petitioner (an employee and customer of the Finnish bank Pankki S) was repeatedly accessed by various employees of the bank. In 2014, the petitioner becomes aware of these data consultations. Subsequently, the petitioner, who has since been dismissed from the bank, questions the lawfulness of the consultations and requests the bank on May 29, 2018, to provide information regarding the identity of the persons who accessed his customer data, the specific dates of these consultations, and the purposes for which the consultations were conducted.
The bank refuses to disclose the identities of the employees who accessed the personal data, citing the potential disclosure of these employees' personal data. The bank further explains that the consultations were carried out on the instruction of the internal audit service. The petitioner might have been involved in an unauthorized conflict of interest: a branch of the bank for which the petitioner was a customer advisor was also a creditor of a person with the same family name as the petitioner.
The petitioner first brings the case before the national supervisory authority, which rejects his request. The petitioner then appeals this decision to the Finnish court, which subsequently refers a number of preliminary questions to the CJEU.
Assessment by the CJEU
The CJEU first confirms that a request for access must be assessed according to the General Data Protection Regulation (GDPR) in cases where the access request is made after the GDPR became applicable (on May 25, 2018), but the request also relates to a period before that date. The CJEU also refers to the date of the GDPR's entry into force, implying that access requests may also cover events that occurred before its enactment. In this case, the access request relates to the period between November 1 and December 31, 2013.
Next, the CJEU addresses whether the right of access extends to information related to the data consultations, including the dates, purposes, and the identities of those who carried out the consultations.
The CJEU determines that an individual has the right to information regarding the data consultations (such as the date and purposes) but not necessarily the right to know the identity of the employees who accessed the data. The CJEU rightly concludes that employees processing personal data under the authority and instructions of a data controller should not be considered as "recipients" under Article 15 of the GDPR. The employees who had access to the petitioner's personal data in the context of the internal audit acted under the authority and instructions of the bank and cannot be regarded as "recipients" whose identity must be disclosed under Article 15 of the GDPR.
The CJEU then rules that the logs showing who accessed specific personal data of the petitioner can indeed be considered "personal data" and, therefore, fall within the scope of Article 15 of the GDPR. However, the identities of the employees should not be disclosed unless it is indispensable for the individual to exercise his rights under the GDPR. In such considerations, the rights and freedoms of the employees (those who carried out the consultations) must be taken into account under Article 15(4) of the GDPR.
Finally, the CJEU rules that the fact that the data controller performs banking activities does not, in principle, affect the extent and scope of the right of access. Similarly, the circumstance that the petitioner is both a customer and an employee of the bank does not, in principle, impact the extent and scope of the right of access.
By Joep Bakker (The Data Lawyers)
