Luxembourg, 22 June 2023
PRESS RELEASE No 107/23
Every person has the right to know the date of and the reasons for the consultation of his or her personal data.
The fact that the data controller is engaged in the business of banking has no effect on the scope of that right.
In 2014, an employee of the bank Pankki S who was, at the same time, a customer of that bank, learnt that his personal data had been consulted by other members of the bank’s staff, on several occasions, between 1 November and 31 December 2013. Since he had doubts as to the lawfulness of those consultations, that employee, who had in the meantime been dismissed from his post within Pankki S,on 29 May 2018 asked Pankki S to inform him of the identity of the persons who had consulted his customer data, the exact dates of the consultations and the purposes for which those data had been processed.
In its reply of 30 August 2018, Pankki S refused to disclose the identity of the employees who had carried out the consultation operations on the ground that that information constituted the personal data of those employees. On the other hand, Pankki S provided further details of the consultation operations, carried out by its internal audit department, stating that a customer of the bank in respect of whom the applicant was the customer advisor was a creditor of a person also bearing the applicant’s surname. That bank had thus wished to clarify whether the applicant and the debtor in question were one and the same person and whether there could have been any impermissible conflict of interests. Pankki S added that the clarification of that issue required the processing of the data at issue, specifying that every member of the bank’s staff who had processed those data had made a statement to the internal audit department on the reasons for the processing of those data. In addition, the bank stated that those consultations had made it possible to rule out any suspicion of conflict of interests in relation to the applicant.
The applicant applied to the Data Protection Supervisor’s Office, Finland, seeking an order that Pankki S provide him with the information requested. Since that application was rejected, the applicant brought an action before the Administrative Court of Eastern Finland, which has asked the Court of Justice to interpret Article 15 of the General Data Protection Regulation (GDPR).1
In today’s judgment, the Court observes, first, that the GDPR, which has been applicable since 25 May 2018, applies to a request made after that date where that request concerns operation for the processing of personal data carried out before the date on which the GDPR became applicable.
Next, the Court holds that the GDPR must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller. On the other hand, the GDPR does not lay down such a right in respect of information relating to the identity of the employees who carried out those operations in accordance with the controller’s instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account.
In the event of a conflict between, on the one hand, the exercise of a right of access which ensures the effectiveness of the rights conferred on the data subject by the GDPR and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen.
Lastly, the Court rules that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his capacity as a customer of the controller was also an employee of that controller has, in principle,no effect on the scope of the right conferred on that data subject.
NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016L 119, p. 1).
Source – EU Court of Justice – Email