CJEU subject access case: the names of people who have viewed your data is also personal data relating to you; but you may not have a right to know who they are

On 22nd June 2023, the Court of Justice of the European Union (“CJEU”) published its decision in Case C-579/21 on the question of whether individuals are entitled to learn who has accessed their personal data. The CJEU backed an expansive interpretation of personal data and confirmed that it includes information that is generated during the processing personal data, such as log data which captures details of which individuals have accessed personal data. This follows the CJEU’s wide interpretation of what constitutes personal data in rulings such as Lindqvist C-101/01, Breyer C-582/14, Novak C-434/16 and Vyriausioji C-184/20. Accordingly, this is data which is in scope of the right of access under GDPR Art.15(1). However, the CJEU underlined that this is not an absolute right – there is room to weigh the rights and freedoms of the involved parties, which can limit the scope of the access right. In this case, the CJEU confirmed that the complainant should not be provided with the identities of the individuals who had accessed the complainant’s file. However, the decision leaves open the possibility that this may be necessary in other cases.

Facts

The complainant, J.M., worked in a Finnish bank and was also a customer of the bank. During 2014, employees of the bank had accessed J.M.’s customer data. In May 2018, right after the General Data Protection Regulation 2016/679 (“GDPR”) became applicable, J.M. asked the bank to reveal the identity of the employees who had accessed his data. He also wanted to know the purpose of the processing.

According to the GDPR Article 15(1):

“1.The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) […];

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;”

The bank refused J.M.’s request; in 2020, the Data Protection Ombudsman of Finland (“DPA”) agreed with the bank. J.M. argued that if data subjects did not have a right to obtain the identity of the persons who had accessed their personal data, they would have no effective means of verifying the lawfulness of the processing. J.M. brought the case to the Administrative Court of Eastern Finland which asked the CJEU for a preliminary ruling.

Personal data interpreted broadly

The CJEU backed an expansive interpretation of the definition of personal data and concluded that personal data includes information of the persons, as included in the log data, who have consulted the personal data of the data subject.

Employees acting under the authority of the employer are not “recipients”

When considering whether the employees were to be considered recipients of the personal data, the CJEU concluded that the employees who had consulted J.M.’s data were not recipients as long as they processed personal data under the authority of the controller and in accordance with its instructions.

Rights of the data subject to be balanced with rights & freedoms of others (including other data subjects)

The CJEU considered recital 63 of the GDPR that states that the access right “should not adversely affect the rights or freedoms of others […]” and recital 4 of the GDPR that states that “[t]he right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” The CJEU acknowledged that the disclosure of the identity of the employees to J.M. could be necessary for J.M. to ensure the lawfulness of the processing of his personal data, but that at the same time it can infringe the rights and freedoms of the employees.

The CJEU also took into account the context: J.M. did not dispute that the employees had been processing his personal data in accordance with the controller’s instructions. Instead, he doubted whether the controller had accurately communicated the purposes of the processing to him. The CJEU emphasised that if data subjects consider the provided information insufficient to verify the lawfulness of the processing, data subjects are entitled to lodge a complaint with the supervisory authority.

The conclusion of the CJEU was that the GDPR Article 15(1) entitles data subjects to have access to the dates and purposes of operations carried out on the data subject’s personal data. However, the Article does not grant a right to obtain the identities of employees who have carried out these consultations, provided that the consultations have been made under the controller’s authority and in accordance with its instructions. However, the CJEU leaves open a different outcome: the opposite conclusion can apply if it is essential for the data subject to obtain the identities of employees to exercise their rights under the regulation – provided that at the same time the rights and freedoms of the employees are considered.

Do the provisions in Article 15(1) of the GDPR apply retroactively?

The CJEU noted the legal praxis that procedural rules generally apply right away, as opposed to substantive rules that usually do not apply to situations that have taken place before the provisions entered into force. The provisions in Article 15(1) of the GDPR only determine the scope and procedure for the data subject’s access rights. Thus, the CJEU concluded that they are of procedural nature and applied to J.M.’s request as it was made when the GDPR had entered into force.

Does it matter that the controller was a bank and J.M. was both a customer and an employee of the controller when the processing in question took place?

The CJEU stated that the nature of controller’s activities or the data subject’s status do not make any difference when assessing the scope of the data subject’s access right. However, this may be relevant to restrictions to the rights of data subjects implemented by Member States on the basis of GDPR Article 23.