January 9, 2023
In May 2018, JM, who was an employee and a customer of the Finnish bank Suur-Savon Osuuspankki, asked the bank to provide him with information as to the identity of certain other employees at the bank who had accessed his personal data between 1 November and 31 December 2013 as part of an internal investigation.
The bank refused JM’s request, arguing that the right of access of the data subject under Article 15 of the GDPR does not apply to log data of the bank’s data processing system recording which employees had access to the computer system containing customer data and at what time. Further, the bank said, the information requested related to personal data of those employees, not of JM. The bank explained that in 2014, its internal audit department had investigated JM’s customer data for the period 1 November to 31 December 2013 in connection with another of the bank’s clients, whose data appeared to show that there was a connection with JM that could give rise to a conflict of interest. The aim of the processing of both JM’s personal data and that of the bank’s client was to clarify that situation.
JM asked the Finnish Data Protection Authority to order the bank to provide the information he sought. This request was rejected so JM applied to the Finnish courts.
The Finnish court has asked the CJEU whether JM’s personal data, which was collected and processed by the Bank, corresponds to “information” that JM, as the data subject, is entitled to obtain under Article 15(1) of the GDPR.
The AG said that once JM had obtained confirmation from the bank that his data had been processed, the “information” to which he was entitled is listed in points (a) to (h) of Article 15(1). This “information” is distinct from the data subject’s personal data and concerns:
- “the purposes of processing” (point (a));
- “the categories of personal data concerned” (point (b));
- the “expected retention period” (point (d));
- the rights of the data subject referred to in (e), (f) and (g); and
- the existence of automated decisions (point (h)).
Therefore, the information concerns either certain rights of the data subject or information relating to the processing carried out, such as its purpose (in other words the reason for it) and the subject matter (the categories of data processed). In short, the AG said, Article 15(1) provides the data subject with a right to “information about the actual fact of processing and the circumstances surrounding it”. In addition, the data subject has a right to information on their rights in respect of the data processed, such as the right to complain to a supervisory authority.
In the AG’s view, the mere fact of the processing and the circumstances in which it occurred do not constitute “personal data” within the meaning of Article 4(1) of the GDPR. Therefore, JM had the right to be informed by the bank, as the data controller, as to the personal data in its possession, either obtained from JM himself (Article 13) or by other means (Article 14). He was also entitled under Article 15 to information on the existence and circumstances of each processing operation to which his data had been subjected, not because the latter constituted “personal data”, but as expressly provided by Article 15. However, he did not have a right to information on the identity of the employees who had consulted JM’s data, as that did not constitute his “personal data” but that of the employees concerned.
As for whether JM was entitled to information about the employees as “recipients” of such data, the AG observed that the definition of “recipient” under Article 4(9), because of the inclusion of the words “whether a third party or not”, could be interpreted to mean that a “recipient” is not only any third party to which the bank communicated JM’s personal data, but also each of the employees who consulted the data on behalf of the bank. However, in the AG’s view, this was an incorrect interpretation of the provision, as Article 4(10) defines “third party” as a person, authority, agency or body other than the data subject, controller, processor and “persons who, under the direct authority of the controller or processor, are authorised to process personal data”. Therefore, “recipient” did not include the employees, provided they were acting under the direct authority of the bank, which in this case they were.
The AG also said that if the data subject has concerns over the lawfulness of the involvement of certain employees in the processing of their personal data on behalf of the controller, that is a matter for the data protection officer of the organisation and the supervisory authority. Ultimately, the supervisory authority can assess whether the concerns are sufficiently well founded to justify disclosing the employee’s identity.
The AG also said that the data subject does not have a right to know the identity of the employees as recorded in the logs, files or records of transactions of an organisation.
The AG concluded that Article 15(1) means that the data subject does not have the right to know, from among the information available to the controller (where applicable, through records or log data), the identity of the employee or employees who, under the authority and on the instructions of the controller, have consulted his or her personal data. (Case C-579/21 JM EU:C:2022:1001 (Opinion of Advocate General) (15 December 2022) — to read the Opinion in full, click here).