Once again, the European Court of Justice had to deal with the right to information under Article 15 of the General Data Protection Regulation (GDPR) in Case C-579/21. The Finnish Administrative Court asked, among other things, whether the provision of information also includes information about the identities of employees who access data from data subjects."
Background
The person concerned was an employee and customer of a bank. The former employee became aware that employees of the bank had accessed his customer data multiple times after the termination of his employment relationship. He doubted the lawfulness of this processing and requested the bank to disclose to him the identity of the individuals who had accessed his customer data, the exact timestamps of these accesses, and the purposes for which this data was processed.
The bank refused to provide him with this information, stating that they did not want to disclose identities of their employees. However, they informed him that the data queries were carried out for an internal review as per the bank's instruction.
Subsequently, the individual felt that his right to information was violated and lodged a complaint with the Finnish supervisory authority. The authority rejected the complaint, stating that the log data in question was the employees' personal data and not to that of the individual concerned. Consequently, the Administrative Court, as the appellate instance, summarized the following questions and referred them to the European Court of Justice (ECJ):
- Is employee data (or log data) covered by the right to information?
- Are the employees who made the data queries considered recipients of personal data and thus covered by the right to information?
- Is it relevant for the assessment whether the data was processed before the entry into force of the GDPR?
Information on identity with reservation
The European Court of Justice (ECJ) ruled that log data can be considered as personal data and falls within the scope of the data subject's right to information. However, if this log data contains identity information about employees who process the data under instructions, this right cannot be applied without restriction.
In such a case, it needs to be examined whether:
a) this information is necessary to enable the data subject to effectively exercise their rights, and
b) whether the rights and freedoms of the employees are not disproportionately restricted.
Therefore, a balancing of interests must take place, where the data subject's interest in obtaining the information is weighed against the employees' interest in not being identified.
Accordingly (and without deciding on the matter itself, as this obligation falls to the national court), the European Court of Justice (ECJ) indicated in its decision that the information about the identity of the accessing employees was not necessary for effective legal enforcement in this case.
Employees are not considered “recipients“
Regarding the other question, the European Court of Justice (ECJ), by referring to the Advocate General's opinion, clarifies that the GDPR (General Data Protection Regulation) grants the data subject the right to know to whom their data has been disclosed. However, employees of the data controller are not considered "recipients" under the GDPR when they process the data under the supervision and instructions of that data controller. Therefore, they do not need to be informed about the data processing.
It is irrelevant whether the data was processed before the GDPR came into effect
The processing occurred in 2013, and thus, before the GDPR came into effect on May 25, 2018. The request for information was made on May 29, 2018. The European Court of Justice (ECJ) established that procedural rules (such as Article 15 of the GDPR) are applicable from the date of entry into force. Therefore, such a request can be made, even if the processing occurred before the GDPR's enforcement.
Summary
This verdict once again highlights the complexity and importance of the right to information under the GDPR. If the information provided in response to a request includes data about other individuals, the right to information does not generally exclude providing information about them. However, in cases where the rights and freedoms of the data subjects collide, it must be assessed on a case-by-case basis whether the information can actually be disclosed.
Your KWR Data Protection Team is happy to assist you.