On 22 June 2023, the Court of Justice of the European Union (“CJEU”) delivered its ruling in Case C 579/21 (Pankki S – Scope of the right of access to the information referred to in Article 15 of the GDPR, including by reference to information contained in log data).
In essence, the CJEU was asked for a preliminary ruling on the interpretation of Article 15 (1) of the GDPR (Right of access by the data subject) in a case where the data subject seeks annulment of the Finish DPA decision rejecting his request that Pankki S, a banking institution established in Finland, be ordered to communicate to him certain information concerning consultation operations carried out on his personal data. More specifically, the CJEU was asked to rule on the following:
- whether the GDPR applies to a request for access made after the date on which it became applicable (i.e., 25 May 2018) if the concerned processing operations were carried out before the said date;
- whether under Article 15 (1) of the GDPR, the data subject is entitled to obtain from the controller information concerning the dates and purposes of the processing operations, and the identity of the natural persons who carried out those operations;
- whether it is relevant to the present case for defining the scope of the right of access that (i) the controller is engaged in the business of banking and thus, acts within a regulated activity framework, or that (ii) the data subject in question was both a customer and an employee of that controller.
Thus, the CJEU stated the following:
- Firstly, Article 15 of the GDPR (i.e., applicable since 25 May 2018), must be interpreted as meaning that it applies to a request for access made after that date, even though the request concerns processing operations carried out before the date on which the GDPR became applicable;
- Secondly, information relating to the dates and purposes of the personal data consultation operations constitutes information that the data subject has the right to obtain from the controller. However, the GDPR does not establish such a right in respect of the information relating to the identity of the employees who carried out those operations following the controller’s instructions, unless (i) that information is essential to enable the data subject effectively to exercise the rights conferred on them by the GDPR, and (ii) provided that the rights and freedoms of those employees are dully considered;
- Thirdly, the facts that (i) the controller is engaged in the business of banking and thus, acts within a regulated activity framework, and that (ii) the individual subject to the concerned processing was both a customer and an employee of that controller has, in principle, no effect on the scope of the right conferred on that data subject.