Introduction and Background
On 22nd June 2023, the Court of Justice of the European Union (CJEU) issued its judgment in case C-579/21 clarifying the scope of the right of access to personal data under Article 15 of the General Data Protection Regulation (GDPR). The case arose from a request for a preliminary ruling filed by the Administrative Court of Eastern Finland in the context of a proceeding involving Pankki S, a banking institution, and J.M., Pankki S’ former employee and customer. J.M. found out that his customer data had been accessed by members of the bank’s staff on several occasions in 2013. Having doubts about the lawfulness of this processing, on 29th May 2018 J.M. exercised his right of access under Article 15 of the GDPR seeking to know the identity of the employees who accessed his data, the dates of this processing, and the purposes for which the data was accessed. In response to this request Pankki S refused to disclose the identity of the employees on the grounds that such information was not the personal data of J.M.
This article presents the issues raised by the case and provides clarity on the scope of the right of access. The case’s implications are outlined regarding: the applicability of Article 15 on processing operations conducted prior to GDPR, the notion of recipient (contained within Article 15) and the extent of information that individuals can access regarding the processing of their personal data.
The key findings of the judgment highlight significant implications for organisations that handle personal data:
- Applicability to pre-GDPR processing: The ruling established that Article 15 of the GDPR applies to requests for access to personal data even when the processing operations occurred before the GDPR became applicable. Therefore, individuals can seek information about historic data processing, provided that the access request is submitted after the GDPR became applicable.
- Access to dates and purposes of data processing: The CJEU confirmed that individuals have the right to obtain information about the dates and purposes of the processing operations concerning their personal data. This allows individuals to verify whether their data was processed during specific periods and assess the lawfulness of the processing.
- Information on recipients: According to Article 15(1)(d) of the GDPR, companies must inform individuals about the recipients or categories of recipients to whom their personal data has been disclosed. The CJEU clarified that employees carrying out processing operations following the controller’s instructions should not be classed as “recipients” under the meaning of Article 15 of the GDPR.
- Balancing individual rights and employee privacy: The judgment clarified that the right of access to personal data does not automatically extend to obtaining information about the identity of employees who carried out the data processing on behalf of the company. Access to such information can be granted provided that (i) it is essential to enable the data subject to exercise in an effective way their rights under the GDPR, and that (ii) the rights and freedoms of employees are duly taken into account.
Main Implications for Data Controllers
This ruling underscores the importance of organisations implementing appropriate technical and organisational measures, to document the processing operations they perform and subsequently enable the effective handling and response to data subjects’ requests.
To address the implications of this judgment, organisations should:
- Implement data access procedures: Organisations should ensure that their procedures for handling access requests (i) take into account the rights and freedoms of other individuals; and (ii) provide a mechanism to efficiently retrieve any personal data held that predates GDPR.
- Adopt adequate technical and organisational measures: To be able to comply with data subjects’ access requests, data controllers should implement technical measures to ensure that all aspects of processing carried out on personal data are appropriately documented, including key aspects of this processing (e.g. type, frequency and purposes of processing).
By proactively addressing the implications of this ruling, organisations can foster customer trust and demonstrate compliance with the GDPR’s data rights framework. Trilateral’s Data Protection and Cyber-Risk Team has significant experience in assisting organisations in developing data protection policies and procedures, including in relation to the handling of data subjects’ requests. Feel free to contact our advisors if you would like to receive expert assistance in data protection compliance.