The ECJ has ruled in the Judgment of June 22, 2023 in Rs. C‑579/21 The Administrative Court of Eastern Finland dealt with the scope of the right to information. A former bank employee, who was also a customer of the bank, had requested information about which employees of the bank had accessed his data after the end of the employment relationship.
Questionable at first was the Temporal applicability of the right to informationbecause it concerned data access in a period before the entry into force of the GDPR. According to the ECJ, however, it is decisive that the request for information was made after the entry into force:
32 […] in the case of procedural provisions, it must generally be assumed that they apply from the time of their entry into force, whereas substantive provisions are generally interpreted in such a way that they only apply to legal positions that arose and were definitively acquired before their entry into force if it is clear from their wording, purpose or structure that such an effect is to be attributed to them […].
35 It follows […] that Art. 15(1) GDPR confers a procedural right on data subjects to request information about the processing of their personal data. As a procedural provision, this provision shall apply to requests for information made […] as of the date of application of this Regulation..
In principle, information about access to personal data is also personal:
45 Therefore, the broad definition of personal data covers not only the data collected and stored by the controller, but also any information relating to an identified or identifiable individual resulting from the processing of personal data (see in this sense judgment of 4 May 2023, Austrian Data Protection Authority and CRIF, C‑487/21, EU:C:2023:369, para. 26).
Furthermore, there is in principle a right to information about the specific, individual recipients of personal data, as the ECJ stated in the Judgment in the case of Österreichische Post AG had determined. Since individual Employees of the responsible party but are not recipientsThis does not imply any entitlement to be named.
Nevertheless Log data (logs) may constitute personal data. The ECJ refers to the fact that these data in the present case are lists of processing activities. This is difficult to understand; the ECJ refers to statements made by the Advocate General in his Opinion, but he did not say so. However, the following statement of the ECJ is correct:
Insofar as these directories of processing activities No information about an identified or identifiable natural person […], they only enable the controller to fulfill its obligations towards the supervisory authority requesting their provision.
This does not mean, however, that a claim to mention information from processing lists is excluded. It depends on two points:
- First, a claim may be Document disclosure and not only of personal data, as far as these documents are necessary as context information for the understanding of the personal data (ECJ i.S. CRIF (C‑487/21)).
- Secondly, the right to information serves to provide the data subject with the Verification of legality of the processing. This may include, as in the present case, verifying that access by other employees was “actually carried out under the supervision of the controller and in accordance with his instructions” (Art. 29 GDPR).
However, this would result in the disclosure of personal data of these accessing employees. This does not exclude the right of access, but it is a Weighing of interests and the information is to be provided as gently as possible.
The ECJ therefore arrives at the following answer:
[…] Information, which concern queries of personal data of a person and which relate to the time and the purposes of these operations, constitute information that the said person is entitled to request from the controller under this provision. In contrast, this provision does not provide such right in relation to information about the identity of the employees of this controller who have carried out these operations under his supervision and in accordance with his instructions, except when such information is indispensable to enable the data subject toto exercise effectively the rights conferred upon it by this Regulation, and provided that the rights and freedoms of such employees are taken into account.
The ECJ further states – based on a corresponding question for reference – that these considerations also apply to banks, at least as long as the national legislator has not provided for a restriction of the right of access (according to Art. 23 GDPR).