The Court of Justice of the European Union (CJEU) published its decision in the case of J.M. v Pankki S (Case C‑579/21) on 22 June 2023.

The case concerns the interpretation of Art. 15 GDPR, which grants data subjects the right to obtain access to their personal data and information about the processing of those data from the controller. The case was referred by a Finnish administrative court, which asked several questions about the scope and applicability of the data subject access right in relation to a request made by a former employee and customer of a bank, who wanted to know who accessed his customer data, when and for what purpose.

Background of the case

J.M., a former employee and customer of Pankki S, a Finnish bank, requested access to his customer data, which had been accessed by the bank’s staff on several occasions in 2013. The data subject access request was submitted in May 2018, under GDPR. J.M. wanted to know the identity of the staff members who accessed his data, the dates and purposes of the access and the log data generated by the access. The bank refused to disclose the identity of the staff members, arguing that it was their personal data and that the access was lawful and justified by the bank's activities. J.M. challenged the bank's decision before the Finnish supervisory authority, which rejected the appeal, and then before the Administrative Court of Eastern Finland, which referred several questions to the CJEU for a preliminary ruling.

The CJEU decision

The CJEU largely followed the opinion of the Advocate General (AG), with some exceptions mentioned below. The CJEU ruled that:

• Art. 15 GDPR applies to a request for access to personal data that were processed before the GDPR became applicable, as long as the request was made after that date;
• Art. 15(1) GDPR grants the data subject a broad right of access to information about the processing of his or her personal data, including the dates and purposes of the processing operations, in order to make it possible for the data subject to verify the lawfulness of the processing and to exercise the rights conferred by the GDPR. In reaching this conclusion, the CJEU referred to its recent decisions of 4 May 2023 in Österreichische Datenschutzbehörde and CRIF, C‑487/21 (summarised in our blog here) and of 12 January 2023 in Österreichische Post (Information regarding the recipients of personal data), C‑154/21 (discussed in our blog here);
• The CJEU agreed with the opinion of the AG that Art. 15(1) GDPR generally does not grant the data subject a right of access to information about the identity of the controller's employees who carried out the processing operations under the authority and in accordance with the instructions of the controller. However, the CJEU reached a different conclusion: it held that such a right may exist if this information is essential for the data subject to effectively exercise the rights under the GDPR and provided that the rights and freedoms of the employees are taken into account;
• In the event of a conflict between, on the one hand, the exercise of a right of access and, on the other hand, the rights or freedoms of others, a balance will have to be struck. The CJEU states that, wherever possible, the means of communicating personal data which does not infringe the rights or freedoms of others must be chosen; and
• The fact that the controller is a bank (and acts within the framework of a regulated activity) and that the data subject was also an employee of the controller has no bearing, in principle, on the scope of the right of access under Art.15 GDPR.

The CJEU also confirmed that the employees of the controller cannot be regarded as “recipients” of data within the meaning of the GDPR, when they process the data under the authority of the controller and in accordance with its instructions.

The press release is available here and the decision here.