The Court of Justice of the European Union ("CJEU") recently confirmed in case C‑579/21 that the GDPR does not provide data subjects with a right of access to the identity of employees who process their personal data while employed by the controller, unless that information is essential to enable the data subject to effectively exercise his or her rights, and provided that the rights and freedoms of those employees are taken into account.
The CJEU’s decision indicates that the disclosure of employee identities may be justified, for example, when necessary to ensure the lawfulness of their processing of personal data or where the access occurred without the employees acting under the authority and instructions of the data controller. In addition, Member States may adopt sectoral rules requiring the disclosure of the identity of a controller’s employees in certain circumstances.
The CJEU further clarified that data subjects can rightfully request under Article 15(1) GDPR information relating to consultation operations carried out on their personal data, including the dates and purposes of these operations.
The complainant, an employee of a Finnish bank, who was also a customer of the bank, learnt that his personal data had been consulted by other members of the bank's staff on several occasions in November-December 2013. As the complainant had doubts as to the lawfulness of those consultations, following the coming into force of the GDPR in May 2018, the now former employee asked the bank to inform him of the identity of the employees who had consulted his data, the exact dates of those consultations, and the purposes for which those data had been processed.
The bank refused to disclose the identity of the employees who had carried out the consultation operations on the grounds that that information constituted the personal data of those employees. However, the bank did provide other details of the consultation operations, and confirmed that every member of the bank's staff who had processed the complainant's personal data had made a statement to the internal audit department regarding the reasons for processing the data.
A request made by the former employee to Finland’s Data Protection Supervisor’s Office to order the bank to provide him with the requested information, including the identity of the employees who consulted his data, was rejected. Therefore, the former employee brought an action before the Administrative Court of Eastern Finland, asking the CJEU to clarify the scope of an individual's access rights under Article 15 GDPR.
The CJEU confirmed that employees of the data controller cannot be considered ‘recipients’ (within the meaning of Article 15(1)(c) GDPR) when they process personal data under the authority and in accordance with the instructions of the controller.
Whilst controllers are not exempt from providing information upon request about when and why an individual’s personal data was consulted, to the extent that such consultation operations constitute "processing" within the meaning of Article 4(2) GDPR, they are not necessarily required to disclose the identity of employees who consulted the data. In that regard the CJEU recalled that Article 15(4) GDPR and recital 63 GDPR states that the right of access "should not adversely affect the rights or freedoms of others". In addition, the CJEU noted that recital 4 GDPR acknowledges the right of access is not an absolute right, and it must be considered in relation to its function in society and be balanced against other fundamental rights.
The CJEU clarified that while the GDPR gives individuals the right of access to information about why and when their personal data was consulted, it does not grant data subjects a right to know the identity of those employees who consulted their data in accordance with the controller’s instructions, "unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him or her [under the GDPR], and provided that the rights and freedoms of those employees are taken into account".
In the event of a conflict between, the exercise of a right of access which ensures the effectiveness of the rights conferred on the data subject by the GDPR, and the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. Wherever possible, a controller should choose a means of communicating personal data that does not infringe the rights or freedoms of others.
The CJEU further stated that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity, and that the data subject was both an employee of the bank and a customer, “has, in principle, no effect on the scope of the right conferred on that data subject.” Accordingly, the nature of a controller's activities or a data subject's status as employee and/or customer does not impact on the scope of a data subject's right of access.
If you would like more information, please do not hesitate to contact any member of our Technology and Innovation Group.