What’s this about?
The European Court of Justice (“the European Court”) recently ruled about the scope of the Subject Access Right (“SAR”) under the EU General Data Protection Regulation (“EU GDPR”) in circumstances where an organization’s employees have consulted an individual’s personal data; we wrote about the Advocate General’s Opinion in this matter here https://www.corderycompliance.com/eu-gdpr-sar-0223/. This article takes a brief look at the issues.
What’s the legal and factual background?
EU GDPR (and also UK GDPR along with the UK Data Protection Act 2018) allow individuals to make SARs to organizations (acting as data controllers) where they can seek to obtain information about the personal data held about them by organizations, subject to certain exceptions.
An individual (referred to in the case by the initials “JM”) who was an employee (but was later dismissed) and also a customer of a bank in Finland made a SAR where JM requested the bank (as data controller) to tell JM the identity of members of the bank’s staff who had consulted JM’s (customer) personal data (on several occasions) because JM had doubts as to the lawfulness of those consultations, along with the exact dates of the consultations and the purposes for which those data had been processed.
In its reply to the SAR the bank refused to disclose the identity of the employees who had carried out the consultation operations on the ground that that information constituted the personal data of those employees. However, the bank provided further details of the consultation operations, carried out by its internal audit department, stating that a customer of the bank in respect of whom JM was the customer advisor was a creditor of a person also bearing JM’s surname, so that the bank had wished to clarify whether the individual who had brought the legal proceedings and the debtor in question were one and the same person and whether there could have been any impermissible conflict of interests. The bank added that the clarification of that issue required the processing of the data at issue, specifying that every member of the bank’s staff who had processed those data had made a statement to the internal audit department as to the reasons for the processing of those data. In addition, the bank stated that those consultations had made it possible to rule out any suspicion of conflict of interests in relation to JM.
Following this, the individual brought a complaint before the Finnish data protection regulator requesting that the bank be ordered to supply the information concerned. The Finnish regulator rejected the complaint, following which the individual brought legal proceedings. The court in question then referred a number of questions to the European Court asking, principally: whether EU GDPR (Article 15) must be interpreted as meaning that information relating to consultation operations carried out on an individual’s personal data and concerning the dates and purposes of those operations, and the identity of those individuals who carried out those operations, constitutes information which the individual in question is entitled to obtain from the data controller (here, the bank); and, whether the fact that the bank performs a regulated activity or that JM was both an employee and a customer at the same time were relevant to the matter.
What did the court rule?
The court ruled as follows:
- Under EU GDPR, information relating to consultation operations carried out on an individual’s personal data and concerning the dates and purposes of those operations constitutes information which that individual has the right to obtain from the (bank) data controller;
- However, EU GDPR does not lay down such a right concerning information relating to the identity of the employees who carried out those operations in accordance with the (bank) data controller’s instructions, unless that information is essential in order to enable an individual effectively to exercise the rights conferred on the individual by EU GDPR and provided that the rights and freedoms of those employees are taken into account;
- In the event of a conflict between, on the one hand, the exercise of a right of access which ensures the effectiveness of the rights conferred on an individual by EU GDPR and, on the other hand, the rights or freedoms of others, a balance must be struck between the rights and freedoms in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen; and,
- The fact that in this case the data controller is engaged in the business of banking and acts within the framework of a regulated activity and that the individual whose personal data has been processed in his capacity as a customer of the (bank) data controller was also an employee of that controller has, in principle, no effect on the scope of the right conferred on that individual.
What are the takeaways?
Organizations should consider reviewing their SAR policies and procedures to ensure that there is a clear understanding and guidance as to the circumstances when, in responding to a SAR, they can and cannot disclose the identity of employees of the organization who have accessed the personal data of the individual making the SAR, including with regard to internal investigations.
We have written about Subject Access Requests here: https://www.corderycompliance.com/dpi-sar-0823-05/, here: https://www.corderycompliance.com/ico-sar-qa-0623-04/, here: https://www.corderycompliance.com/ec-sar-0523-02/, here: https://www.corderycompliance.com/ico-sar-uk1/, here: https://www.corderycompliance.com/sars-under-gdpr/, here: https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/, here: https://www.corderycompliance.com/ico-sars-enforcement-lewisham-council/, and here https://www.corderycompliance.com/uk-appeal-court-ruling-on-balancing-test-in-sars-2/.
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
The European Court’s ruling can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=274867&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1008518.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|
Photo Credit : Court of Justice of the European Union