Everyone has the right to know at what time and for what reasons their personal data was requested.
The fact that the responsible person is engaged in the banking business does not affect the scope of this right.
In 2014, an employee who was also a customer of the bank Pankki S became aware that his personal data had been queried by other employees of the bank on several occasions in the period from November 1 to December 31, 2013. As this employee, whose employment with Pankki S had been terminated in the meantime, had doubts about the legality of these queries, he requested Pankki S on May 29, 2018 to disclose to him the identity of the persons who had queried his customer data, the exact time of the queries and the purposes of the processing of this data.
In its response of August 30, 2018, Pankki S refused to provide information about the identity of the employees who had made the queries, stating as grounds that this information was personal data of those employees. Pankki S, on the other hand, provided more details about the queries carried out by its internal audit department, explaining that a client of the bank, whose client advisor had been the information seeker, was a creditor of a person with the same last name as the information seeker. The bank had therefore wanted to clarify whether the latter and the debtor in question were identical persons and whether there might have been an improper conflict of interest. In addition, Pankki S explained that in order to clarify this issue, the processing of the data at issue had been necessary, clarifying that each employee of the Bank who had processed such data had made a declaration to Internal Audit regarding the reasons for such data processing. In addition, the bank stated that these queries had made it possible to completely eliminate the suspicion of a conflict of interest with respect to the person seeking information.
The information seeker contacted the Office of the Data Protection Commissioner of Finland and requested that Pankki S be ordered to provide him with the requested information. After this request was rejected, the information seeker brought an action before the Administrative Court of Eastern Finland asking the Court of Justice to interpret Article 15 of the General Data Protection Regulation ('GDPR').
In today's judgment, the Court first states that the GDPR, which has been applicable since 25 May 2018, applies to a request for information made after that date if the processing operations relating to that request were carried out before the date of application of the GDPR.
Next, the Court holds that the GDPR must be interpreted as meaning that information relating to interceptions of an individual's personal data which relate to the timing and purposes of those operations is information which that individual is entitled to request from the controller. In contrast, the GDPR does not provide for such a right in relation to information about employees who have carried out those operations in accordance with the instructions of the controller, except where such information is indispensable to enable the data subject to effectively exercise the rights conferred on him by this Regulation and provided that the rights and freedoms of those employees are taken into account. Indeed, if the exercise of a right of access ensuring the practical effectiveness of the rights granted to the data subject by the GDPR, on the one hand, and the rights and freedoms of other persons, on the other, conflict, the rights and freedoms at stake must be weighed against each other. If possible, modalities should be chosen that do not infringe these rights and freedoms.
Finally, the Court rules that the fact that the controller carries out the banking business in the context of a regulated activity and that the person whose personal data were processed in his capacity as a customer of the controller was also employed by that controller does not, in principle, affect the scope of the right granted to that person.
Source: ECJ Press Release No. 107/23, 22.06.2023
