FTCC | Studio Legale Associato


European Case Law

Court of Justice, First Chamber

22 June 2023, Case C579/21

(J.M.; intervening parties: Apulaistietosuojavaltuutettu, Pankki S)

Reference for a preliminary ruling – Processing of personal data – Regulation (EU) 2016/679 – Articles 4 and 15 – Scope of the right of access to information referred to in Article 15 – Information contained in log data – Article 4 – Definition of ‘personal data’ – Definition of ‘recipients’ – Temporal application

1. Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Article 99(2) of that regulation,

must be interpreted as meaning that it is applicable to a request for access to the information referred to in that provision where the processing operations which that request concerns were carried out before the date on which that regulation became applicable, but the request was submitted after that date.

2. Article 15(1) of Regulation 2016/679

must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller under that provision. On the other hand, that provision does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the person concerned effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account.

3. Article 15(1) of Regulation 2016/679

must be interpreted as meaning that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his or her capacity as a customer of the controller was also an employee of that controller has, in principle, no effect on the scope of the right of access conferred on that data subject by that provision.

categoria:European Case Law