In response to a preliminary question addressed to it by the Administrative Court of Eastern Finland, in its judgment in Pankki S (C-579/21) issued on 22 July 2023, the European Court of Justice had the opportunity to clarify that anyone has the right to know the date and the reasons as to why their personal data were consulted.
The Court’s ruling originated from a dispute in which the employee of a bank, who was also one of its clients, demanded the bank in question, the reason as to why his personal data had been consulted by the bank (this case concerned a homonym with another client of the bank).
The Finnish judge seized by the employee addressed a preliminary rulings to the Court of Justice on the interpretation of Article 15 of the GDPR, in particular asking the Court to clarify whether the consultation of the personal data carried out by the data controller of such data (the bank in this case) constituted a form of access to such data, which the data subject had the right to know with particular reference to the reasons as to why these consultations were carried out.
The Court responded by specifying the notion of “personal data” governed by the regulation in question is particularly broad and encompasses any type of consultation of said data. The data subject therefore has the right to know the reasons that led the data controller to access the data and carry out the relevant inspections.
In light of the explanation that the data controller is required to provide, the data subject must basically be able to assess the reasons of the consultation, in particular to evaluate whether there has been any damages caused to him and, if starting a legal action for the compensation of the damage suffered.
However, the Court has clarified that this right does not entitle the data subject – who, among other things, was an employee of the data controller – to know the names of the colleagues who carried out such consultation.
In this regard, the Court had observed in particular that, pursuant to the listing 4 of the GDPR Regulations “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights” (v., in this sense, sentence of 16 July 2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559, punto 172)”.
Accordingly, the exercise of a right of access that ensures the useful effect of the rights recognized by the GDPR to the data subject must be balanced with the rights or freedoms of others choosing, where possible, methods that do not infringe such rights or freedoms.
The Court has essentially observed that, without prejudice to the fact that these considerations must not lead to the denial of facts to provide the data subject all the information legitimately requested, the GDPR nevertheless, and in particular its article 15, “does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the person concerned effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account”.