In a recent landmark case, the Court of Justice of the EU (CJEU) ruled that data subjects have the right to obtain from the controller information relating to consultation operations carried out on his/her personal data and concerning the dates and purposes of such operations. This ruling defines the scope and limits of data subject access requests (DSAR) under the GDPR, which companies will need to consider when responding to DSARs.
The case - post dismissal DSAR
An employee of a bank, who was also a customer of that bank, learnt that his personal data had been consulted by other members of the bank’s staff on several occasions.
After having been dismissed by the bank as an employee, the data subject asked the bank to inform him of the identity of the persons who had consulted his customer data, the exact dates of the consultations and the purposes for which those data had been processed.
The bank provided information about the dates and the purposes of the consultations carried out by its internal audit department. The bank also stated that the consultations had made it possible to rule out any suspicion of conflict of interests in relation to the applicant. However, it refused to disclose the identity of the employees who consulted the personal data due to confidentiality.
Ruling - data subject rights are not absolute
The CJEU confirmed that data subjects have the right to obtain from the controller information relating to consultation operations carried out on his/her personal data and concerning the dates and purposes of such operations.
However, the CJEU considers that the GDPR does not set out a right in respect of information relating to the identity of the individuals who processed the data in accordance with the controller’s instructions, unless that information is “essential” in order to enable the data subject effectively to exercise this right.
The CJEU also recalls that data subjects rights are not absolute, and need to be balanced against the rights of others. In this case, the CJEU considered that revealing the identities of the concerned employees was not necessary for the data subject to effectively exercise his right of access.
Accordingly, the bank did not infringe the GDPR by denying access to this information.
Retroactivity
Also, the processing activities targeted by the right of access were dated 2014, prior to the entry into force of the GDPR.
The CJEU confirmed that the GDPR applies to an access request that concerns data processing operations carried out before the application data of the GDPR (i.e. 25 May 2018).
CJEU judgments on access requests
The CJEU has recently rendered other important decisions concerning interpretation of key aspects of data subject rights.
- In Österreichische Datenschutzbehörde v CRIF GmbH (C-487/21), the CJEU ruled that the right of access gives the data subject the right to obtain a “faithful and intelligible” reproduction of all his personal data. This includes copies from extracts of documents, entire documents, or extracts from databases, if this is necessary to enable the data subject to exercise effectively his rights under GDPR.
- In another recent case (RW v. Österreichische Post AG (Case C-154/21)), the CJEU decided that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access.
Data subject access requests are an important part of the European data protection framework. However, these cases highlight that such requests need to apply in light of the proportionality principle and other fundamental rights or else they could impose significant burdens on controllers.
[the GDPR] does not lay down such a [data subject access] right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions
unknownx500
