Every person has the right to know the date of and the reasons for the consultation of his or her personal data (ECJ)

According to the Judgment of the European Court  of Justice (22/6/2023) in Case C-579/21 (Pankki S), every person has the right to know the date of and the reasons for the consultation of his or her personal data. The fact that the data controller is engaged in the business of banking has no effect on the scope of that right.

In 2014, an employee of the bank Pankki S who was, at the same time, a customer of that bank, learnt that his personal data had been consulted by other members of the bank’s staff, on several occasions, between 1 November and 31 December 2013. Since he had doubts as to the lawfulness of those consultations, that employee, who had in the meantime been dismissed from his post within Pankki S, on 29 May 2018 asked Pankki S to inform him of the identity of the persons who had consulted his customer data, the exact dates of the consultations and the purposes for which those data had been processed. 

In its reply of 30 August 2018, Pankki S refused to disclose the identity of the employees who had carried out the consultation operations on the ground that that information constituted the personal data of those employees. On the other hand, Pankki S provided further details of the consultation operations, carried out by its internal audit department, stating that a customer of the bank in respect of whom the applicant was the customer advisor was a creditor of a person also bearing the applicant’s surname. 

That bank had thus wished to clarify whether the applicant and the debtor in question were one and the same person and whether there could have been any impermissible conflict of interests. Pankki S added that the clarification of that issue required the processing of the data at issue, specifying that every member of the bank’s staff who had processed those data had made a statement to the internal audit department on the reasons for the processing of those data. In addition, the bank stated that those consultations had made it possible to rule out any suspicion of conflict of interests in relation to the applicant. 

The applicant applied to the Data Protection Supervisor’s Office, Finland, seeking an order that Pankki S provide him with the information requested. Since that application was rejected, the applicant brought an action before the Administrative Court of Eastern Finland, which has asked the Court of Justice to interpret Article 15 of the General Data Protection Regulation (GDPR). [1]

In its judgment, the Court observes, first, that the GDPR, which has been applicable since 25 May 2018, applies to a request made after that date where that request concerns operation for the processing of personal data carried out before the date on which the GDPR became applicable. Next, the Court holds that the GDPR must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller. 

On the other hand, the GDPR does not lay down such a right in respect of information relating to the identity of the employees who carried out those operations in accordance with the controller’s instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account. In the event of a conflict between, on the one hand, the exercise of a right of access which ensures the effectiveness of the rights conferred on the data subject by the GDPR and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. 

Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen. Lastly, the Court rules that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his capacity as a customer of the controller was also an employee of that controller has, in principle,no effect on the scope of the right conferred on that data subject. (curia.europa.eu/photo freepik.com)

Full text of decision is available here


[1]  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).



George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Accidents on board an aircraft: The strict liability of airlines under the Montreal convention extends to inadequate first aid administered on board an aircraft

Airbnb is not required to hold an estate agent’s professional licence as it did not notify the Commission of that requirement in accordance with the Directive on electronic commerce

First judgment of the ECHR: Lawless v. Ireland

Early repayment of the loan: Borrower's right to reduction in the total cost of the credit and bank's compensation right

Politically Exposed Persons (PEPs): What and Why?

Processing of personal data: decisions taken by a supervisory authority in the context of the indirect exercise of the rights of the data subject are legally binding (ECJ)