Judgment of the Court of Justice in case C-579/21 of 22/06/2023 analyzed the situation when in 2014, an employee and at the same time a client of the bank learned that other employees of the bank had accessed his personal data several times. The employee was later dismissed from his job, because of the reason he had doubts about the legality of informing other employees of his personal data. Accordingly, he asked the bank to inform him of the identity of the employees who became familiar with his personal data, the exact dates when this knowledge occurred and the purpose of processing his personal data.
The bank refused to inform the employee of the identity of the employees who got acquainted with his personal data, on the grounds that this information represents the personal data of these employees.
The client of the bank, for whom the applicant was an adviser, was a creditor of a person with the same last name as the applicant. The bank investigated whether the applicant and the debtor were one and the same person and whether there could be a relationship of an inadmissible conflict of interest. For this reason, the bank needed to process personal data when solving this issue, stating that every employee of the bank who processed personal data submitted a statement to the internal audit department regarding the reasons for data processing, which made it possible to rule out the suspicion of a conflict of interests of the applicant.
The applicant turned to the Finnish Office of the Person Responsible for the Protection of Personal Data in order to oblige the bank to provide him with the requested information. The Office of the Person Responsible for Personal Data Protection rejected the applicant's request. For the stated reason, the applicant turned to the Administrative Court. The Administrative Court asked the Court of Justice to interpret Article 15 of the General Data Protection Regulation (GDPR).
The Court of Justice stated that the person concerned has the right to obtain the said information from the operator regarding the information regarding the familiarization with the person's personal data, which relates to the dates and purposes of personal data processing.
The General Data Protection Regulation (GDPR) does not include such a right with regard to information regarding the identity of employees who carried out the processing of personal data in accordance with the instructions of the controller.
If such information is necessary for the data subject to effectively exercise the rights included in the General Data Protection Regulation (GDPR), the operator must provide it to the data subject.
In the event of a conflict between the exercise of the right of access granted by the General Data Protection Regulation (GDPR) to the data subject on the one hand and the rights or freedoms of others on the other hand. It is necessary to use a method that does not interfere with the rights and freedoms of others.
We provide daily commentary from various fields of law, business, and audit. We try to give an objective and impartial view of current topics that move the professional world.