Plaintiff seeks information on querying customer data
An employee and customer of the Finnish bank Pankki S learned in 2014 that his personal data had been requested several times by other employees of the bank in the period from November 1st, 2013 to December 31st, 2013. The employee, whose employment at Pankki S has since been terminated, has doubts as to the legality of the queries. On May 29, 2018, he then asked Pankki S to disclose the identity of the people who had requested his customer data, the exact time of the requests and the purposes for which this data was processed.
Bank refuses information with reference to personal data
The bank refused to provide any information about the identity of the employees who had carried out the inquiries, as this information was personal data. However, she gave details of the inquiries carried out by her internal audit department, explaining that a customer of the bank whose relationship manager the seeker was a creditor of a person with the same surname as the seeker. The bank therefore wanted to clarify whether the latter and the debtor in question were identical and whether there might have been an improper conflict of interest.
DS-GVO also applicable to processing operations before entry into force
The information seeker contacted the Office of the Data Protection Commissioner of Finland and requested that Pankki S be instructed to provide him with the requested information. After that application was rejected, he brought an action before the Administrative Court of Eastern Finland, which asked the ECJ for an interpretation of Art. 15 GDPR requested. He first stated that the GDPR, which has been in force since May 25th, 2019, is applicable to a request for information submitted after this date if the processing operations relating to this request ā as here ā were carried out before the application date of the GDPR.
Balancing the rights of the person concerned and the employee
In principle, a person may request information from the person responsible that concerns queries about their own personal data and that relate to the point in time and the purposes of these processes. On the other hand, the GDPR does not provide for such a right in relation to information about employees who have carried out these operations in accordance with the instructions of the person responsible, unless this information is essential to enable the data subject to effectively exercise his or her rights, and provided that the rights and freedoms of such workers are taken into account. If the exercise of a right to information on the one hand and the rights and freedoms of other persons on the other collide, the rights and freedoms in question must be weighed against each other. If possible, modalities should be chosen that do not violate these rights and freedoms.
Former employment at a bank irrelevant for the right to information
The fact that the person responsible carries out the banking business within the framework of a regulated activity and that the person whose personal data was processed in his capacity as a customer of the person responsible was also employed by this person responsible does not in principle affect the scope of the right granted to that person.
on ECJ, judgment of 22.06.2023 ā C-579/21
Editorial office beck-aktuell, June 22, 2023.
Related Links
On the topic on the internet
The Full text of the ECJ judgment can be found on the website of the European judiciary.
From the beck-online database
Kuznik, The limits of the right to access personal data, NVwZ 2023, 297
Fuhlrott, The right to information under data protection law in an employment law mandate, NJW 2023, 1108
Zhou/Wybitul, GDPR claims for information as a preliminary stage of claims for damages, BB 2023, 1411
Gerpott/Mikolas, dealing with the right to information according to Art. 15 GDPR in practice, MMR 2022, 745
Mohn, The right to information under Art. 15 DS-GVO and the protection of whistleblowers, NZA 2022, 1159