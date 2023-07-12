The right of a data subject to gain access to his/her personal data and information relating to processing of same must be upheld indiscriminately by all controllers including regulated entities such as banks, the Court of Justice of the European Union (CJEU) has recently affirmed.

Such right does not, however, in principle, extend to information relating to the identity of employees of the controller who processed the data in accordance with the controller’s instructions.

The General Data Protection Regulation (GDPR) protects individuals when their personal data is being processed and endows them with various rights in relation to any such processing. One such right relates to an individual’s right of access to his/her own data as held by a third party, that is, the controller. This includes the right of the data subject to obtain from the controller, confirmation as to whether personal data concerning him/her are being processed and access to such personal data.

The data subject is also entitled to obtain other information from the controller, which includes, among other, the purposes of processing, categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed.

The facts of this case were briefly as follows. A bank employee, who was also a customer of the same bank, learnt that his personal data had been consulted by other members of staff on several occasions. Upon termination of employment, he requested the bank for information as to the identity of the employees who had consulted his data, the exact dates of the consultations and the purposes for which those data had been processed.

The bank refused to disclose the identity of the employees in question, maintaining that such information constituted personal data of the relevant employees. However, the bank did provide further details as to the consultation operations carried out by its internal audit department.

It maintained that access to the plaintiff’s data had been necessary for the bank to be able to ascertain whether a particular bank customer, who was at the time being serviced by the plaintiff himself, was in fact a creditor of the plaintiff since the latter and a debtor of the customer bore the same surname. Hence, the bank wanted to confirm whether the plaintiff and the debtor in question were one and the same person, and whether there was any possible conflict of interest.

To this end, it was necessary for the bank’s employees to process the plaintiff’s data and every member of the bank’s staff who had processed such data had made a statement to the bank’s internal audit department on the reasons for the processing of the relevant data. Such processing had made it possible to rule out any suspicion of conflict of interest in relation to the plaintiff.

Unsatisfied with the information provided by the bank, the aggrieved employee applied to the national Data Protection Supervisor’s Office, seeking an order for the bank to provide him with further information, including the identity of the employees who had processed his data. However, his application was rejected by the said office. He then proceeded to file judicial proceedings.

The national court seized of the case filed a preliminary reference before the CJEU, requesting guidance on the interpretation and applicability of the GDPR in relation to the proceedings before it.

The CJEU observed that whereas a data subject is, in terms of the GDPR, entitled to obtain from the controller, information relating to consultation operations carried out on his/her personal data and the dates and purposes of such operations, the same cannot be said of information relating to the identity of the employees who carried out such operations in accordance with the controller’s instructions. The data subject is only entitled to the latter information if it is essential to enable him/her to effectively exercise the rights conferred on him/her by the GDPR and provided that the rights and freedoms of the relevant employees are given due consideration.

In the eventuality of a conflict, a balance must be struck between the two sets of rights and any communication made by the controller to the data subject must, wherever possible, be carried out in a way whereby the rights and freedoms of others are respected.

The fact that the controller is within the banking industry and, hence, acts within the framework of a regulated activity, is irrelevant in so far as the scope of the rights of the data subject are concerned, the CJEU affirmed. Also, as a rule, it is irrelevant that the processing of the personal data had been carried out at a time when the relevant data subject was a customer, besides an employee of the controller.

Complying with the GDPR often means for controllers treading a fine line between satisfying the rights of data subjects and safeguarding the rights and freedoms of others. A delicate balance must often be struck to ensure that all relevant rights and freedoms, including those of third parties, are being safeguarded at all times.

Mariosa Vella Cardona is an independent legal consultant specialising in European law.