CJEU says individuals have the right to know when and why people look at their personal information

June 26, 2023

The Court of Justice of the European Union has issued its ruling in Case C-579/21 | Pankki S.

In 2014, an employee of the bank Pankki S who was also a customer, learnt that his colleagues had looked at his personal information on several occasions. He doubted that this was lawful. On 29 May 2018, when the GDPR came into force, he asked Pankki S to tell him who had looked at his customer data, the exact dates of the access and the purposes for which that data had been processed.

Pankki S refused to disclose the identity of the employees who had carried out the consultation operations, saying it constituted the personal data of those employees. However, it did say that its internal audit department had accessed the complainants data. It stated that a customer of the bank for of whom the complainant was the customer advisor was a creditor of a person also bearing the applicant’s surname. Therefore, the bank had wished to clarify whether the applicant and the debtor in question were one and the same person and whether there could have been any impermissible conflict of interests. Pankki S said that this required the processing of the data at issue, specifying that every member of the bank’s staff who had processed that data had made a statement to the internal audit department for its reasons for processing that data. In addition, the bank stated that this ruled out any suspicion of conflict of interests in relation to the applicant.

The applicant applied to the Data Protection Supervisor’s Office, Finland, seeking an order that Pankki S provide him with the information requested. That was rejected so he took the issue to the courts, who referred the case to the CJEU, asking it to interpret Article 15 of the GDPR.

The CJEU observed that the GDPR, which had been applicable since 25 May 2018, applies to a request made after that data where that request concerned the processing of personal data carried out before the date on which the GDPR took effect.

The CJEU also held that the GDPR means that information relating to consultation operators carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller. On the other hand, the GDPR does not provide for such a right regarding information relating to the identity of the employees who carried out those operations in accordance with the controller’s instructions, unless that information is essential to enable the data subject effectively to exercise the rights conferred on them under the GDPR and provided that the rights and freedoms of those employees are taken into account. If there is a conflict between the exercise of a right of access which ensures the effectiveness of the rights conferred on the data subject by the GDPR and the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen.

Lastly, the Court ruled that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal information has been processed in his capacity as a customer of the controller was also an employee of that controller has, in principle, no effect on the scope of the right conferred on that data subject.