ECJ, Rs.C‑579/21 – GA appli­ca­ti­ons: employees are not “reci­pi­en­ts”.

In a request for infor­ma­ti­on, the cus­to­mer of a Fin­nish bank had deman­ded, among other things, infor­ma­ti­on about which employees of the bank had access to his data during a cer­tain peri­od. The bank was right to refu­se to pro­vi­de this infor­ma­ti­on, as the Advo­ca­te Gene­ral of the ECJ poin­ted out in his Opi­ni­on in the pro­ce­e­dings Rs. C‑579/21 holds.

On the one hand, the Names of the­se employees none the cus­to­mer per­so­nal data con­cer­ned:

55 As I will explain in more detail below, what is rele­vant in the pre­sent case is that the iden­ti­ty of the employees who reque­sted J. M.’s data is not J. M.’s “per­so­nal data”.

On the other hand, the Bank employees not “reci­pi­en­tsabout which infor­ma­ti­on would have to be pro­vi­ded in accordance with Art. 15(1)(c) GDPR. Accor­ding to Art. 4 No. 9 GDPR, “reci­pi­en­ts” are enti­ties “to which per­so­nal data are dis­c­lo­sed, whe­ther or not it is a third par­ty […]”. From the last half-sen­tence, one could infer that employees of the dis­clo­sing enti­ty are also “reci­pi­en­ts”. Accor­ding to the Advo­ca­te Gene­ral, this must be rejec­ted, if only becau­se employees “are aut­ho­ri­zed to pro­cess the per­so­nal data under the direct respon­si­bi­li­ty of the con­trol­ler or pro­ces­sor”, which is why they are not “third par­ties” within the mea­ning of Art. 4 No. 10 GDPR:

I the­r­e­fo­re take the posi­ti­on that the noti­on of reci­pi­ent does not include employees of a legal enti­tywho, using the data pro­ce­s­sing system of the legal enti­ty and on behalf of its gover­ning bodies, retrie­ve the per­so­nal data of a cus­to­mer. If such employees act under the direct respon­si­bi­li­ty of the data con­trol­ler, they do not beco­me the “reci­pi­ent” of the data by vir­tue of this alone.

This is con­vin­cing in the result. Howe­ver, one can­not deri­ve anything from the defi­ni­ti­on of “third par­ty” in Art. 4 No. 10 the “third par­ties” if No. 9 at the same time cla­ri­fi­es that not only “third par­ties” are eli­gi­ble as reci­pi­en­ts. Be that as it may – sub­ject to the reser­va­ti­on of unaut­ho­ri­zed pro­ce­s­sing by an employee, which makes the lat­ter a con­trol­ler in his own right, the data sub­ject may not request infor­ma­ti­on about dis­clo­sures to his or her own employees. If he/she doubts the lega­li­ty of the access regu­la­ti­ons, he/she can only turn to the DPO of the con­trol­ler or to the super­vi­so­ry authority:

In such a case, the data sub­ject may cont­act […] the Data Pro­tec­tion Offi­cer (Artic­le 38(4) GDPR) or lodge a com­plaint with the super­vi­so­ry aut­ho­ri­ty (Artic­le 15(1)(f) and Artic­le 77 GDPR). Howe­ver, he or she is not entit­led to direct­ly obtain infor­ma­ti­on about the per­so­nal data (the iden­ti­ty) of an employee who is sub­or­di­na­te to the con­trol­ler or pro­ces­sor and acts in prin­ci­ple in accordance with the controller’s instructions.

The Advo­ca­te General’s con­clu­ding, clear refe­rence to the ECJ is not unjustified:

In my opi­ni­on it would be not advi­sa­ble for the Court of Justi­ce to exer­cise qua­si­le­gis­la­ti­ve func­tions and amend the GDPRto intro­du­ce a new obli­ga­ti­on to pro­vi­de infor­ma­ti­on that over­ri­des the obli­ga­ti­on set forth in Art. 15(1). This would be the case if the con­trol­ler were obli­ged to inform the data sub­ject not only of the iden­ti­ty of the reci­pi­ent to whom the data have been dis­c­lo­sed, but also of the iden­ti­ty, wit­hout distinc­tion, of each employee or per­son from the company’s inner cir­cle who has had lawful access to the data.