Individuals have a right to access information held by organisations pertaining to the dates on and purposes for which their personal data has been consulted by that organisation, the EU’s highest court has ruled.
The Court of Justice of the EU (CJEU) also confirmed, however, that organisations will generally not have to reveal the identify of the employees who consulted the individuals’ data on their instruction, when requested by the individual to do so.
The CJEU provided clarity on the right of access under the EU General Data Protection Regulation (GDPR) in a case referred to it by a court in Finland where a dispute had arisen between a bank, Pankki S, and a man who was both an employee and customer of the bank.
The man, referred to in the CJEU’s judgment as J.M., discovered that his personal data had been consulted by other members of the bank’s staff. He asked the bank to inform him about the identity of the persons who had access to his customer data, the exact dates of the consultations, and the purposes for which those data had been processed.
Pankki S refused to disclose the identities of the staff members who had consulted J.M.’s data on the ground that that information constituted the personal data of those employees. However, the bank did provide further details of the consultation operations carried out on its instructions by its internal audit department.
J.M. complained to the Finish Data Protection Supervisor’s Office. He asked it to order that the bank provide him with the information requested. When that application was rejected, J.M. lodged legal proceedings before the Administrative Court of Eastern Finland. To help it resolve the dispute in the case, the Finnish court asked the CJEU to assist in how Article 15 of the GDPR should be interpreted in the context of J.M.’s case. Article 15 sets out the rights individuals have under the GDPR to access information concerning the processing of their personal data by organisations.
While the CJEU considered that right extends to information relating to the dates and purposes of processing operations, it said that it does not extend to information concerning the identity of employees who carry out the processing “unless that information is essential in order to enable the person concerned effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account”.
The CJEU also clarified that the right of access under the GDPR applies to requests pertaining to processing operations carried out before the GDPR became applicable but where the request itself was made after that date. In this case, J.M.’s data was consulted in 2014 but he did not file a data subject access request until on 29 May 2018 – four days after the GDPR took effect.
Contact an adviser
