Top of page ↑

Summary

European Court of Justice (ECJ), June 22, 2023

ECJ 22 June 2023, case C-579/21 (Pankki S), Privacy

J.M. – v – Apulaistietosuojavaltuutettu, Pankki S, Finnish case

Summary

While every person has the right to know the date of and reasons for the consultation of his/her personal data, such information does, in principe, not include names of the employees who consulted this information. The ECJ’s summary of the case is available here.

Questions

  1. Is Article 15 of the GDPR, read in the light of Article 99(2) of that regulation, applicable to a request for access to the information referred to in the first of those provisions where the processing operations covered by that request were carried out before the date on which that regulation became applicable, but the request was made after that date.
  2. Must Article 15(1) of the GDPR be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations, and the identity of the natural persons who carried out those operations, constitutes information which that data subject is entitled to obtain from the controller under that provision?
  3. Is the fact, first, that the controller is engaged in the business of banking and acts within the framework of a regulated activity and, second, that the data subject whose personal data has been processed in his or her capacity as a customer of the controller was also an employee of that controller relevant for the purposes of defining the scope of the right of access conferred on him or her by Article 15(1) of the GDPR?

Ruling

  1. Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Article 99(2) of that regulation, must be interpreted as meaning that it is applicable to a request for access to the information referred to in that provision where the processing operations which that request concerns were carried out before the date on which that regulation became applicable, but the request was submitted after that date.
  2. Article 15(1) of Regulation 2016/67 must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller under that provision. On the other hand, that provision does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the person concerned effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account.
  3. Article 15(1) of Regulation 2016/679 must be interpreted as meaning that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his or her capacity as a customer of the controller was also an employee of that controller has, in principle, no effect on the scope of the right of access conferred on that data subject by that provision.