In its ruling in case C-579/21, the European Court of Justice emphasizes the right to information to know when and why one’s personal data is accessed, as set forth in Article 15 of the GDPR.
The fact that the data controller is engaged in banking business does not affect the scope of that right.
Although the ECJ recognized the right of access to information on data consultation, it did state that disclosure of the identity of employees depends on the necessity for the effective exercise of the data subject’s rights and respect for the employees’ rights.
The nature of the controller as a bank and the dual role of the employee did not affect the data subject’s right to access their data.
Investigation into possible conflict of interest of bank employee: Inspection of customer data and processing purposes
J.M. is employed by a Finnish bank and is at the same time also customer of dihe bank. Between Nov. 1 and Dec. 31, 2013, four Bank of Finland employees visited J.M. for inspection. These employees have access to J.M.’s customer data. These data are processed because his name came up when processing the data of another customer of the bank. J.M was both relationship manager and representative of the bank with the customer and had thereby also a personal debt to thethem customer. As a result, dthe four employees of the bank that there may have been was of an improper conflict of interest.
Bank employees vs. customer under GDPR
J.M. asked the bank to see the log data of four employees in the bank’s data processing system. With his inspection request, J.M. would find out, among other things, why he was fired from the bank.
The bank denied the request, concluding that the log data was the “personal data” of the four bank employees and not J.M. Such log data would therefore not fall within the scope of GDPR access rights. The dispute between the bank and J.M. eventually ended up before the referring national court.
EU ECJ asked for clarification: Right to access log data under GDPR
The referring court requests clarification from the EU ECJ on the right of access to personal data under Article 15(1) of the GDPR. The court wants to know whether the data collected by the data controller, showing the identity of the persons who processed the personal data of the data subject and the time of processing of that personal data (“log data”), should be considered “information” within the meaning of Article 15(1) of the GDPR, to which the data subject has a right of access.
CJEU: Right to access personal data under GDPR limited to information on consultations and purposes
The ECJ noted that the GDPR also applies to a request that relates to a processing of personal data before the GDPR came into force.
The ECJ also ruled that the GDPR clearly states that information about consultations carried out by operators on a data subject’s personal data and about the dates and purposes of those operations is information about which the data subject has the right to obtain from the controller.
In contrast, the GDPR does not provide such a right with respect to information about the identity of the employees who have carried out these operations in accordance with the controller’s instructions, unless such information is essential to enable the data subject to exercise the rights granted to him under the GDPR and provided that the rights and freedoms of those employees are taken into account.
ECJ: Balancing right of access and rights/freedoms of others under GDPR
In the event of a conflict between, on the one hand, the exercise of a right of access that ensures the effectiveness of the rights granted to the data subject by the GDPR and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the different rights and freedoms of the data subjects. Where possible, means of transferring personal data should be chosen that do not infringe on the rights or freedoms of others.
Finally, the Court held that the fact that the controller banks and acts in the course of a regulated activity and that the data subject, whose personal data are processed, in his capacity as a customer of the controller, is also an employee of that controller, does not in principle affect the scope of the right granted to that data subject.
The EUCJEU has, with this ruling, made an important brought clarification regarding the right of inspection for data subjects. If you have any questions regarding your right to access, contact an accredited DPO.