In a request for information, the customer of a Finnish bank had demanded, among other things, information about which employees of the bank had access to his data during a certain period. The bank was right to refuse to provide this information, as the Advocate General of the ECJ pointed out in his Opinion in the proceedings Rs. C‑579/21 holds.
On the one hand, the Names of these employees none the customer personal data concerned:
55 As I will explain in more detail below, what is relevant in the present case is that the identity of the employees who requested J. M.’s data is not J. M.’s “personal data”.
On the other hand, the Bank employees not “recipientsabout which information would have to be provided in accordance with Art. 15(1)(c) GDPR. According to Art. 4 No. 9 GDPR, “recipients” are entities “to which personal data are disclosed, whether or not it is a third party […]”. From the last half-sentence, one could infer that employees of the disclosing entity are also “recipients”. According to the Advocate General, this must be rejected, if only because employees “are authorized to process the personal data under the direct responsibility of the controller or processor”, which is why they are not “third parties” within the meaning of Art. 4 No. 10 GDPR:
I therefore take the position that the notion of recipient does not include employees of a legal entitywho, using the data processing system of the legal entity and on behalf of its governing bodies, retrieve the personal data of a customer. If such employees act under the direct responsibility of the data controller, they do not become the “recipient” of the data by virtue of this alone.
This is convincing in the result. However, one cannot derive anything from the definition of “third party” in Art. 4 No. 10 the “third parties” if No. 9 at the same time clarifies that not only “third parties” are eligible as recipients. Be that as it may – subject to the reservation of unauthorized processing by an employee, which makes the latter a controller in his own right, the data subject may not request information about disclosures to his or her own employees. If he/she doubts the legality of the access regulations, he/she can only turn to the DPO of the controller or to the supervisory authority:
In such a case, the data subject may contact […] the Data Protection Officer (Article 38(4) GDPR) or lodge a complaint with the supervisory authority (Article 15(1)(f) and Article 77 GDPR). However, he or she is not entitled to directly obtain information about the personal data (the identity) of an employee who is subordinate to the controller or processor and acts in principle in accordance with the controller’s instructions.
The Advocate General’s concluding, clear reference to the ECJ is not unjustified:
In my opinion it would be not advisable for the Court of Justice to exercise quasilegislative functions and amend the GDPRto introduce a new obligation to provide information that overrides the obligation set forth in Art. 15(1). This would be the case if the controller were obliged to inform the data subject not only of the identity of the recipient to whom the data have been disclosed, but also of the identity, without distinction, of each employee or person from the company’s inner circle who has had lawful access to the data.