On June 22, the Court of Justice of the European Union (CJEU)
issued a
judgment concluding that banks are not exempt from providing information upon request about when and why an individual’s data was accessed. However, banks are not necessarily required to name the people who accessed the data, the CJEU said. The Administrative Court of Eastern Finland issued a request for a preliminary ruling in an action seeking clarification on individuals’ rights when requesting information on data processing. The press release explained that a bank employee (who was also a customer of the bank) discovered that other bank employees consulted his personal data on several occasions. Doubting the lawfulness of these consultations, the now-former employee asked the bank for information on who accessed his data, the exact dates of the consultations, and the reasons why his data had been processed. The bank explained that it had consulted his data to check for a possible conflict of interest, but refused to disclose the employees’ identities, reasoning that this information “constituted the personal data of those employees.” A request made by the former employee to Finland’s Data Protection Supervisor’s Office to order the bank to provide him with the requested information was rejected, so the former employee brought an action before the Administrative Court of Eastern Finland, asking the Court of Justice to interpret Article 15 of the General Data Protection Regulation (GDPR).
The CJEU clarified, among other things, that while the GDPR gives individuals the right to access information about why and when their data was accessed (including information relating to consultation operations carried out on the former employee’s personal data), it does not grant a right to know who accessed the information when following a controller’s instructions “unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him[.]” The CJEU acknowledged, however, that a “balance will have to be struck between the rights and freedoms in question” and that “[w]herever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen.” Furthermore, the CJEU determined that the fact that the controller is a bank, and that the former employee was both an employee of the bank and a customer, “has, in principle, no effect on the scope of the right conferred on that data subject.”
