In a ruling handed down on Thursday 22 June (Case C-579/21), the Court of Justice of the EU ruled that anyone can find out when and why their personal data has been consulted, regardless of the activity carried out by the controller - in this case, a bank - and their relationship with the controller.
A customer and employee of the Pankki S bank learned that his personal data had been consulted on several occasions by members of staff. He then asked his bank to provide him with the identity of these people and the dates and reasons for the consultations. The bank has refused to disclose the identity of its employees on the grounds that this is personal data but has provided details of the rest.
Following a rejection by Finland’s Data Protection Supervisor’s Office, the customer and bank employee appealed to the Administrative Court. The Administrative Court questioned the interpretation of the right of access to data contained in the General Data Protection Regulation (GDPR).
The Court considers that the customer can access information relating to consultation dates and operations. On the other hand, the GDPR does not grant the right to obtain the identity of employees carrying out the controller’s instructions unless this is essential for the exercise of the applicant’s rights and provided that the employees’ rights and freedoms are respected.
In addition, the ruling stresses that neither the fact that the individual is both a customer and an employee nor the specific characteristics of the banking sector in themselves justify a refusal of access to the requested information. The right of access to data makes no distinction based on the nature of the data controller’s activities or the applicant’s position.
Finally, although the customer submitted his request to the bank in 2014 for data accessed in 2013, the Court confirms that the GDPR applies, despite its entry into force in 2018.
The judgment: https://aeur.eu/f/7n1 (Original version in French by Hélène Seynaeve)