In its judgment of 22 June 2023, the Court of Justice of the EU (ECJ) stressed that the right of access does not go so far as to allow information on the identity of other employees to be disclosed just like that. According to the Court, this is only possible if that information is indispensable to enable the applicant to effectively exercise the right of access and provided that the rights and freedoms of the other employees are taken into account.
1. The facts
A former employee of a bank in Finland (who was also a customer there) became aware that employees of the bank had repeatedly accessed his customer data over a period of two months.
Following the entry into force of the General Data Protection Regulation (GDPR), the former employee had doubts about the legality of the consultations made by the bank. He requested the bank to inform him about the identity of the persons who had consulted his customer data, the exact dates of the consultations and the processing purposes of these personal data. In its reply, the bank refused to disclose the identity of the employees who had accessed the personal data on the grounds that this information constituted personal data of these employees. However, the bank had informed the former employee that it had instructed the internal audit department to consult his personal data as part of an investigation into a possible unlawful conflict of interests.
The former employee disagreed with the bank's response and requested the Finnish Data Protection Supervisor's Office to order the bank to provide him with information on the consultations of personal data. The Finnish Data Protection Authority rejected the former employee's request, as it amounted to accessing the bank's employees' log files and, consequently, this concerned employees' personal data.
The former employee did not agree with the decision of the Finnish Data Protection Authority and brought the case before the East Finnish Administrative Court. Before ruling on the case, the court referred some preliminary questions to the ECJ regarding the scope of the right of access under Article 15 of the GDPR.
2. The judgment
First and foremost, the Court confirmed that it did not matter that the facts predated the entry into force of the GDPR. The Court therefore held that Article 15 GDPR applies to a request for inspection, such as the one made by the former employee, when the request was made after the date of the GDPR entering into force.
The Court then answers the question of whether the former employee's right of access under Article 15 GDPR should be interpreted so broadly as to entitle the former employee to obtain information about the consultations of his personal data, the dates of those consultations, their purposes and the identity of the persons who made those consultations. The Court takes into account that, according to the East Finnish Administrative Court, the provision of this information could be done through the transfer of the log files.
The Court recognises that a copy of the log files may prove necessary to comply with the obligation to:
- give the former -employee access to all the information mentioned in Article 15 GDPR;
- ensure lawful and transparent processing.
However, these files contain not only information about the fact that processing has taken place, its frequency and intensity, but also the identity of the persons who have done the processing.
Article 15(1)(c) GDPR stipulates that the data subject has the right to information concerning the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, employees of the controller cannot be considered as "recipients" within the meaning of Article 15(1)(c) GDPR when they process personal data under the authority of that controller and in accordance with its instructions. Consequently, the employee is thus not entitled to information about the identity of the employees on the basis of Article 15(1)(c) GDPR.
Since the information in the log files identifies the employees who made the consultations, this information concerns the personal data of those employees. While providing information to the former employee about the employees' identities may be necessary to verify that the processing was lawful, it should not prejudice the rights or freedoms of others. However, the balancing exercise of the right to access and the rights and freedoms of others should not result in the data subject being deprived of all information.
The Court concludes that the right of access in Article 15 GDPR must be interpreted as meaning that the former employee is entitled to information relating to the consultations of his personal data, on the dates and purposes of those consultations. On the other hand, the former employee is not entitled to the information relating to the identity of the bank's employees in their capacity as controller who carried out those consultations under the bank's authority and in accordance with its instructions, unless that information is indispensable to enable him effectively to exercise the rights conferred on him by the GDPR and provided that the rights and freedoms of those employees are taken into account.
Finally, the Court ruled that the mere fact that the controller carries out a banking activity and that the person whose personal data was processed was both a (former) employee and a customer of this controller has no impact on the scope of the right of access under Article 15 GDPR.
3. Decision of the Litigation Chamber n°89/2023
The Litigation Chamber of our Belgian Data Protection Authority recently had to rule in a similar case as well.
In this case, the national registration number of three persons was consulted up to 15 times by a public authority. These persons requested access to the identity of the person who had consulted the national register on behalf of the public authority and to the purpose for these consultations. They suspected that the consultations had taken place for private purposes. However, the public authority refused to grant the request to disclose the employee's identity for the sake of protecting the employee's personal data.
In its decision, the Litigation Chamber referred to the aforementioned Court of Justice judgment, which, in its view, shows that a data subject does not simply have the right to access the identity of employees who have accessed personal data.
It must be verified whether the employee has processed the data subject's personal data under the authority and according to the instructions of his employer. This question is therefore related to the purpose of the processing.
When an employee has processed the data subject's personal data under the authority and according to the instructions of his/her employer, the data subject does not have an automatic right of access to the employee's identity. The employer remains the controller and the relevant information should be provided to the data subject allowing him/her to assess the lawfulness of the processing. Should this information prove insufficient, the data subject can turn to the data protection authority, which can make the necessary check.
However, the data subject should have the right to access the identity of these employees if these employees did not process the personal data under the authority and on the instructions of their employer, but for their own purposes. In that case the employer is not the controller, but rather the employee is.
The identity of an employee who acts in accordance with the employer's instructions thus enjoys higher protection than that of an employee who does not.
Nevertheless, the above does not mean that the rights and freedoms of the employee, acting under the authority and according to the instructions of his/her employer, would take precedence over the data subject's right of access. According to the Litigation Chamber, there should still be a balancing of interests between the rights and freedoms of the data subject and those of the employees.
Before rejecting the request for access, according to the Litigation Chamber, the public authority had to:
- verify whether or not the employee had consulted the data subject's personal data under its authority and according to its instructions (finality of processing)?
- if appropriate, to weigh up the rights and freedoms of the data subject and the employee.
By failing to do so, it has violated the provisions of the GDPR. The Litigation Chamber offers the public authority the opportunity to regulate itself by still making the above-mentioned thought exercise. So it is not yet a decision on the merits by the Litigation Chamber.
When a data subject invokes his/her right of access, it remains essential to safeguard the rights and freedoms of other employees. Only when that information is indispensable to enable the data subject to effectively exercise his/her rights under the GDPR and the rights and freedoms of those employees are taken into account may the data subject be entitled to information on the identity of other employees who have processed personal data of the data subject under the authority and instructions of the employer. A true balancing act between the rights and freedoms of the data subject and those of other employees is therefore expected of the employer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.