JUDGMENT OF THE COURT (First Chamber)
22 June 2023 (*)
(Reference for a preliminary ruling – Processing of personal data – Regulation (EU) 2016/679 – Articles 4 and 15 – Scope of the right of access to information referred to in Article 15 – Information contained in log data – Article 4 – Definition of ‘personal data’ – Definition of ‘recipients’ – Temporal application)
In Case C-579/21,
REQUEST for a preliminary ruling under Article 267 TFEU from the Itä-Suomen hallinto-oikeus (Administrative Court of Eastern Finland, Finland), made by decision of 21 September 2021, received at the Court on 22 September 2021, in the proceedings brought by
J.M.
intervening parties:
Apulaistietosuojavaltuutettu,
Pankki S,
THE COURT (First Chamber),
composed of A. Arabadjiev, President of the Chamber, P.G. Xuereb, T. von Danwitz, A. Kumin and I. Ziemele (Rapporteur), Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: C. Strömholm, Administrator,
having regard to the written procedure and further to the hearing on 12 October 2022,
after considering the observations submitted on behalf of:
– J.M., by himself,
– the Apulaistietosuojavaltuutettu, par A. Talus, tietosuojavaltuutettu,
– Pankki S, by T. Kalliokoski and J. Lång, asianajajat, and by E.-L. Hokkonen, oikeustieteen maisteri,
– the Finnish Government, by A. Laine and H. Leppo, acting as Agents,
– the Czech Government, by A. Edelmannová, M. Smolek and J. Vláčil, acting as Agents,
– the Austrian Government, by A. Posch, acting as Agent,
– the European Commission, by A. Bouchagiar, H. Kranenborg and I. Söderlund, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 15 December 2022,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 15(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).
2 The request has been made in proceedings brought by J.M. seeking annulment of the decision of the Apulaistietosuojavaltuutettu (Assistant Data Protection Supervisor, Finland) rejecting his request that Pankki S, a banking institution established in Finland, be ordered to communicate to him certain information in relation to consultation operations carried out on his personal data.
Legal context
3 Recitals 4, 10, 11, 26, 39, 58, 60, 63 and 74 of the GDPR state:
‘(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; …
…
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. …
(11) Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, …
…
(26) … To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. …
…
(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. …
…
(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
…
(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. …
…
(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. … Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. … That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. …
…
(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.’
4 Article 1 of the GDPR, headed ‘Subject matter and objectives’, provides in paragraph 2 thereof:
‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’
5 Article 4 of that regulation provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person …; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …
…
(9) “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. …
…
(21) “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51;
…’
6 Article 5 of that regulation, entitled ‘Principles relating to processing of personal data’, is worded as follows:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
…
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
7 Article 12 of the GDPR, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, states:
‘1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, … The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. …
…
5. … Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
…
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
…’
8 Article 15 of that regulation, entitled ‘Right of access by the data subject’, provides:
‘1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
…
3. The controller shall provide a copy of the personal data undergoing processing. …
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’
9 Articles 16 and 17 of that regulation lay down, respectively, the data subject’s right to have inaccurate personal data rectified (right of rectification), as well as the right, in certain circumstances, to erasure of those data (right to erasure or ‘right to be forgotten’).
10 Article 18 of that regulation, entitled ‘Right to restriction of processing’, provides in paragraph 1 thereof:
‘The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.’
11 Article 21 of the GDPR, entitled ‘Right to object’, provides in paragraph 1 thereof:
‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’
12 Under Article 24(1) of that regulation:
‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. …’
13 Article 29 of that regulation, entitled ‘Processing under the authority of the controller or processor’, is worded as follows:
‘The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.’
14 Article 30 of the GDPR, entitled ‘Records of processing activities’, provides:
‘1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. …
…
4. The controller … and, where applicable, the controller’s … representative, shall make the record available to the supervisory authority on request.
…’
15 Article 58 of that regulation, entitled ‘Powers’, provides, in paragraph 1 thereof:
‘Each supervisory authority shall have all of the following investigative powers:
(a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;
…’
16 Article 77 of that regulation, entitled ‘Right to lodge a complaint with a supervisory authority’, states as follows:
‘1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.’
17 Article 79 of the GDPR, entitled ‘Right to an effective judicial remedy against a controller or processor’, states in paragraph 1 thereof:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
18 Article 82 of that regulation, entitled ‘Right to compensation and liability’, provides in paragraph 1 thereof:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
19 In accordance with Article 99(2) thereof, the GDPR has been applicable from 25 May 2018.
The dispute in the main proceedings and the questions referred for a preliminary ruling
20 In 2014, J.M., who was then an employee and customer of Pankki S, learned that his own customer data had been accessed by members of the bank’s staff on several occasions during the period from 1 November to 31 December 2013.
21 Since he had doubts as to the lawfulness of those consultations, J.M., who had in the meantime been dismissed from his post with Pankki S, on 29 May 2018 asked Pankki S to inform him of the identity of the persons who had consulted his customer data, the exact dates of the consultations and the purposes for which those data were processed.
22 In its reply of 30 August 2018, Pankki S, in its capacity as controller within the meaning of Article 4(7) of the GDPR, refused to disclose the identity of the employees who had carried out the consultation operations on the ground that that information constituted the personal data of those employees.
23 However, in that reply, Pankki S provided further details of the consultation operations carried out, on its instructions, by its internal audit department. It thus explained that a customer of the bank in respect of whom J.M. was the customer advisor was a creditor of a person also bearing J.M.’s surname, so that the bank had wished to clarify whether the applicant in the main proceedings and the debtor in question were one and the same person and whether there might have been a possible impermissible conflict of interest. Pankki S added that the clarification of that issue required the processing of J.M.’s data, and every member of the bank’s staff who had processed his data had given a statement to the internal audit department on the reasons for the processing of the data. In addition, the bank stated that those consultations had made it possible to rule out any suspicion of conflict of interest in relation to J.M..
24 J.M. applied to the Tietosuojavaltuutetun toimisto (Data Protection Supervisor’s Office, Finland), the supervisory authority within the meaning of Article 4(21) of the GDPR, for an order that Pankki S provide him with the information requested.
25 By decision of 4 August 2020, the Assistant Data Protection Supervisor rejected J.M.’s application. He explained that such an application sought to enable J.M. to gain access to the log data of the employees who had processed his data, whereas, under the Assistant Data Protection Supervisor’s decision-making practice, such log data constituted personal data relating not to the person concerned but to the employees who processed the data of that person.
26 J.M. brought an action against that decision before the referring court.
27 That court notes that Article 15 of the GDPR provides for the right of the data subject to obtain from the controller access to the data processed concerning him or her and information relating, inter alia, to the purposes of the processing and recipients of the data. It asks whether the communication of the log data generated during processing operations, which contain such information, in particular the identity of the controller’s employees, is covered by Article 15 of the GDPR, since those log data might prove necessary to the data subject for the purposes of assessing the lawfulness of the processing of his or her data.
28 In those circumstances, the Itä-Suomen hallinto-oikeus (Administrative Court of Eastern Finland) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is the data subject’s right of access under Article 15(1) of the [GDPR], considered in conjunction with the [concept of] “personal data” within the meaning of Article 4(1) thereof, to be interpreted as meaning that information collected by the controller, which indicates who processed the data subject’s personal data and when and for what purpose they were processed, does not constitute information in respect of which the data subject has a right of access, in particular because it consists of data concerning the controller’s employees?
(2) If Question 1 is answered in the affirmative and the data subject does not have a right of access to the information referred to in that question on the basis of Article 15(1) of the [GDPR], because it does not constitute “personal data” of the data subject within the meaning of Article 4(1) of [that regulation], it remains necessary in the present case to consider the information in respect of which the data subject does have a right of access in accordance with Article 15(1)[(a) to (h)]:
(a) How is the purpose of processing within the meaning of Article 15(1)(a) [of the GDPR] to be interpreted in relation to the scope of the data subject’s right of access, that is to say, can the purpose of the processing give rise to a right of access to the user log data collected by the controller, such as information concerning personal data of the processors and the time and the purpose of the processing of the personal data?
(b) In that context, can the persons who processed J.M.’s customer data be regarded, under certain criteria, as recipients of the personal data within the meaning of Article 15(1)(c) of the [GDPR], in respect of whom the data subject would be entitled to obtain information?
(3) Is the fact that the bank at issue performs a regulated activity or that J.M. was both an employee and a customer of the bank at the same time relevant to the present case?
(4) Is the fact that J.M.’s data were processed before the entry into force of the [GDPR] relevant to the examination of the questions set out above?’
Consideration of the questions referred
The fourth question
29 By its fourth question, which it is appropriate to examine first, the referring court asks, in essence, whether Article 15 of the GDPR, read in the light of Article 99(2) of that regulation, is applicable to a request for access to the information referred to in the first of those provisions where the processing operations covered by that request were carried out before the date on which that regulation became applicable, but the request was made after that date.
30 In order to answer that question, it should be noted that, under Article 99(2) of the GDPR, that regulation has been applicable since 25 May 2018.
31 In the present case, it is apparent from the order for reference that the personal data processing operations at issue in the main proceedings were carried out between 1 November 2013 and 31 December 2013, that is to say, before the date on which the GDPR became applicable. However, it is also apparent from that decision that J.M. submitted his request for information to Pankki S after that date, namely on 29 May 2018.
32 In that regard, it must be borne in mind that procedural rules are generally taken to apply from the date on which they enter into force, as opposed to substantive rules, which are usually interpreted as applying to situations that have arisen and become definitive before their entry into force only in so far as it follows clearly from their terms, their objectives or their general scheme that such an effect must be given to them (judgment of 15 June 2021, Facebook Ireland and Others, C-645/19, EU:C:2021:483, paragraph 100 and the case-law cited).
33 In the present case, it is apparent from the order for reference that J.M.’s request to be provided with the information at issue in the main proceedings is connected with Article 15(1) of the GDPR, which provides for the right of the data subject to obtain access to personal data concerning him or her which are being processed, and to the information referred to in that provision.
34 It must be stated that that provision does not concern the conditions under which the processing of the personal data of the data subject is lawful. Article 15(1) of the GDPR merely specifies the scope of that data subject’s right of access to the data and to the information to which it covers.
35 It follows, as the Advocate General observed in point 33 of his Opinion, that Article 15(1) of the GDPR confers on data subjects a procedural right consisting of obtaining information about the processing of their personal data. As a procedural rule, that provision applies to requests for access made from the entry into application of that regulation, such as J.M.’s request.
36 In those circumstances, the answer to the fourth question is that Article 15 of the GDPR, read in the light of Article 99(2) of that regulation, must be interpreted as meaning that it is applicable to a request for access to the information referred to in that provision where the processing operations which that request concerns were carried out before the date on which that regulation became applicable, but the request was submitted after that date.
The first and second questions
37 By its first and second questions, which it is appropriate to examine together, the referring court asks, in essence, whether Article 15(1) of the GDPR must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations, and the identity of the natural persons who carried out those operations, constitutes information which that data subject is entitled to obtain from the controller under that provision.
38 As a preliminary point, it should be borne in mind that, in accordance with settled case-law, the interpretation of a provision of EU law requires that account be taken not only of its wording, but also of its context and the objectives and purpose pursued by the act of which it forms part (judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C-154/21, EU:C:2023:3, point 29).
39 As regards, first of all, the wording of Article 15(1) of the GDPR, that provision states that the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information about the purposes of the processing and the recipients or categories of recipient to whom those personal data have been or will be disclosed.
40 In that regard, it must be pointed out that the concepts in Article 15(1) of the GDPR are defined in Article 4 of that regulation.
41 Thus, in the first place, Article 4(1) of the GDPR states that personal data is ‘any information relating to an identified or identifiable natural person’ and specifies that ‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
42 The use of the expression ‘any information’ in the definition of the concept of ‘personal data’ in that provision reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 23).
43 In that regard, it has been held that information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 24).
44 As regards the ‘identifiable’ nature of a person, recital 26 of the GDPR states that account should be taken of ‘all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’.
45 Therefore, the broad definition of the concept of ‘personal data’ covers not only data collected and stored by the controller, but also includes all information resulting from the processing of personal data relating to an identified or identifiable person (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 26).
46 In the second place, as regards the concept of ‘processing’, as defined in Article 4(2) of the GDPR, it should be noted that, by using the expression ‘any operation’, the EU legislature intended to give that concept a broad scope by using a non-exhaustive list of operations applied to personal data or sets of personal data, which cover, among others, collection, recording, storage or also consultation (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 27).
47 In the third place, Article 4(9) of the GDPR states that ‘recipient’ means ‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not’.
48 In that regard, the Court has held that the data subject has the right to obtain from the controller information about the specific recipients to whom the personal data concerning him or her have been or will be disclosed (judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C-154/21, EU:C:2023:3, paragraph 46).
49 Therefore, it follows from the textual analysis of Article 15(1) of the GDPR and the concepts contained therein that the right of access granted to the data subject by that provision is characterised by the broad scope of the information that the controller must provide to the data subject.
50 As regards, next, the context of Article 15(1) of the GDPR, in the first place, recital 63 of that regulation provides that every data subject should have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed and the recipients of the personal data.
51 In the second place, recital 60 of the GDPR states that the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes, it being stressed that the controller should provide any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. Furthermore, in accordance with the principle of transparency, alluded to by the referring court, to which recital 58 of the GDPR refers and which is expressly enshrined in Article 12(1) of that regulation, any information sent to the data subject must be concise, easily accessible and easy to understand, and formulated in clear and plain language.
52 In that regard, Article 12(1) of the GDPR states that the information must be provided by the controller in writing or by other means, including, where appropriate, by electronic means, unless the data subject requests that it be provided orally. The purpose of that provision, an expression of the principle of transparency, is to ensure that the data subject is able fully to understand the information sent to him or her (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 38 and the case-law cited).
53 It follows from the foregoing contextual analysis that Article 15(1) of the GDPR is one of the provisions intended to ensure the transparency of the manner in which personal data are processed in relation to the data subject.
54 Lastly, that interpretation of the scope of the right of access provided for in Article 15(1) of the GDPR is supported by the objectives pursued by that regulation.
55 First, as stated in recitals 10 and 11 thereof, the purpose of that regulation is to ensure a consistent and high level of protection of natural persons within the European Union and to strengthen and set out in detail the rights of data subjects.
56 In addition, as is apparent from recital 63 of the GDPR, the right of a data subject to have access to his or her own personal data and to the other information referred to in Article 15(1) of that regulation is intended, first of all, to enable that person to become aware of the processing and to verify its lawfulness. It follows, according to that same recital and as stated in paragraph 50 above, that every data subject should have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data and the logic involved in their processing.
57 In that regard, it must be recalled, secondly, that the Court has already held that the right of access provided for in Article 15 of the GDPR must enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 34).
58 In particular, that right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16 to 18 of the GDPR, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, and right of action where he or she suffers damage, laid down in Articles 79 and 82 of the GDPR (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 35 and the case-law cited).
59 Accordingly, Article 15(1) of the GDPR is one of the provisions intended to ensure transparency vis-à-vis the data subject of the manner in which personal data are processed (judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C-154/21, EU:C:2023:3, paragraph 42), without which that data subject would not be in a position to assess the lawfulness of the processing of his or her data or to exercise the rights provided for, inter alia, in Articles 16 to 18, 21, 79 and 82 of that regulation.
60 In the present case, it is apparent from the order for reference that J.M. requested Pankki S to provide him with information relating to the consultation operations carried out on his personal data between 1 November 2013 and 31 December 2013, including the dates of those consultations, their purposes and the identity of the persons who carried them out. The referring court states that the transmission of the log data generated during those operations would make it possible to respond to J.M’s request.
61 Here, it is not disputed that the consultation operations carried out on the personal data of the applicant in the main proceedings constitute ‘processing’ within the meaning of Article 4(2) of the GDPR, with the result that they confer on him, pursuant to Article 15(1) of that regulation, not only a right of access to those personal data, but also a right to be provided with the information linked to those operations, as referred to in the latter provision.
62 In respect of information such as that requested by J.M., the communication, first of all, of the dates of the consultation operations is such as to enable the data subject to obtain confirmation that his personal data have actually been processed at a given time. In addition, since the conditions of lawfulness laid down in Articles 5 and 6 of the GDPR must be satisfied at the point of the processing itself, the date of that processing is a factor which makes it possible to verify its lawfulness. Next, it should be noted that information relating to the purposes of the processing is expressly referred to in Article 15(1)(a) of that regulation. Lastly, Article 15(1)(c) of that regulation provides that the controller is to inform the data subject of the recipients to whom his or her data have been disclosed.
63 As regards, specifically, the communication of all that information by means of the provision of the log data relating to the processing operations at issue in the main proceedings, it should be noted that the first sentence of Article 15(3) of the GDPR states that the controller ‘shall provide a copy of the personal data undergoing processing’.
64 In that regard, the Court has already held that the concept of ‘copy’ thus used refers to the faithful reproduction or transcription of an original, with the result that a purely general description of the data undergoing processing or a reference to categories of personal data does not correspond to that definition. Furthermore, it is apparent from the wording of the first sentence of Article 15(3) of that regulation that the disclosure obligation relates to the personal data undergoing the processing in question (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 21).
65 The copy that the controller is required to provide must contain all the personal data undergoing processing, must have all the characteristics necessary for the data subject effectively to exercise his or her rights under that regulation and must, consequently, reproduce those data fully and faithfully (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraphs 32 and 39).
66 In order to ensure that the information thus provided is easy to understand, as required by Article 12(1) of the GDPR, read in conjunction with recital 58 of that regulation, the reproduction of extracts from documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing may prove to be essential where the contextualisation of the data processed is necessary in order to ensure the data are intelligible. In particular, where personal data are generated from other data or where such data result from empty fields, that is to say, where there is an absence of information which provides information about the data subject, the context in which the data are processed is an essential element in enabling the data subject to have transparent access and an intelligible presentation of those data (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraphs 41 and 42).
67 In the present case, as the Advocate General observed in points 88 to 90 of his Opinion, the log data, which contain the information requested by J.M., correspond to records of activities, within the meaning of Article 30 of the GDPR. It must be held that they fall within the scope of the measures, referred to in recital 74 of that regulation, implemented by the controller to demonstrate the compliance of the processing activities with that regulation. Article 30(4) of that regulation specifies in particular that they must be made available to the supervisory authority on its request.
68 In so far as those records of activities do not contain information relating to an identified or identifiable natural person within the meaning of the case-law referred to in paragraphs 42 and 43 above, they merely enable the controller to fulfil his or her obligations towards the supervisory authority which requests the provision of those records.
69 As regards, more specifically, the controller’s log data, the disclosure of a copy of the information contained in those files may be necessary in order to satisfy the obligation to provide the data subject with access to all the information referred to in Article 15(1) of the GDPR and to ensure fair and transparent processing, thus enabling him or her fully to assert his or her rights under that regulation.
70 First, such log data reveal the existence of data processing, information to which the data subject must have access under Article 15(1) of the GDPR. In addition, they provide information on the frequency and intensity of the consultation operations, thus enabling the data subject to ensure that the processing carried out is actually motivated by the purposes put forward by the controller.
71 Secondly, those files contain information relating to the identity of the persons who carried out the consultation operations.
72 In the present case, it is apparent from the order for reference that the persons who carried out the consultation operations at issue in the main proceedings are employees of Pankki S, who acted under its authority and in accordance with its instructions.
73 Although it follows from Article 15(1)(c) of the GDPR that the data subject has the right to obtain from the controller information relating to the recipients or categories of recipients to whom the personal data have been or will be disclosed, the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) of the GDPR, as recalled in paragraphs 47 and 48 above, when they process personal data under the authority of that controller and in accordance with its instructions, as the Advocate General observed in point 63 of his Opinion.
74 In that regard, it must be pointed out that, in accordance with Article 29 of the GDPR, any person acting under the authority of the controller who has access to personal data may process those data only on instructions from that controller.
75 That being the case, the information contained in the log data relating to the persons who have consulted the data subject’s personal data could constitute information falling within the scope of Article 4(1) of the GDPR, as recalled in paragraph 41 above, capable of enabling him or her to verify the lawfulness of the processing of his or her data and, in particular, to satisfy him or herself that the processing operations were actually carried out under the authority of the controller and in accordance with its instructions.
76 Nevertheless, first, it is apparent from the order for reference that the information in log data such as those at issue in the main proceedings makes it possible to identify the employees who carried out the processing operations and contains personal data of those employees, within the meaning of Article 4(1) of the GDPR.
77 In that regard, it should be recalled that, as regards the right of access provided for in Article 15 of the GDPR, recital 63 of that regulation states that ‘that right should not adversely affect the rights or freedoms of others’.
78 Under recital 4 of the GDPR, the right to the protection of personal data is not an absolute right, since it must be considered in relation to its function in society and be balanced against other fundamental rights (see, to that effect, judgment of 16 July 2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559, paragraph 172).
79 Even if the disclosure of the information relating to the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing of his or her personal data, it is nevertheless liable to infringe the rights and freedoms of those employees.
80 In those circumstances, in the event of a conflict between, on the one hand, the exercise of a right of access which ensures the effectiveness of the rights conferred on the data subject by the GDPR and, on the other hand, the rights or freedoms of others, a balance will have to be struck between the rights and freedoms in question. Wherever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen, bearing in mind that, as follows from recital 63 of the GDPR, ‘the result of those considerations should not be a refusal to provide all information to the data subject’ (see, to that effect, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraph 44).
81 However, secondly, it is apparent from the order for reference that J.M. does not seek disclosure of the information relating to the identity of Pankki S’s employees who carried out the consultation operations on his personal data on the ground that they did not actually act under the authority and in accordance with the instructions of the controller, but appears to doubt the veracity of the information relating to the purpose of those consultations communicated to him by Pankki S.
82 In such circumstances, if the data subject were to consider the information provided by the controller to be insufficient to enable him or her to dispel his or her doubts as to the lawfulness of the processing of his or her personal data, he or she has the right to lodge a complaint with the supervisory authority on the basis of Article 77(1) of the GDPR, that authority having the power, under Article 58(1)(a) of that regulation, to request the controller to provide it with any information it needs in order to examine the data subject’s complaint.
83 It follows from the foregoing considerations that Article 15(1) of the GDPR must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller under that provision. On the other hand, that provision does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account.
The third question
84 By its third question, the referring court asks, in essence, whether the fact, first, that the controller is engaged in the business of banking and acts within the framework of a regulated activity and, second, that the data subject whose personal data has been processed in his or her capacity as a customer of the controller was also an employee of that controller is relevant for the purposes of defining the scope of the right of access conferred on him or her by Article 15(1) of the GDPR.
85 At the outset, it should be noted that, as regards the scope of the right of access provided for in Article 15(1) of the GDPR, no provision of that regulation draws a distinction according to the nature of the activities of the controller or the status of the person whose personal data are being processed.
86 As regards, first, the regulated nature of Pankki S’s activity, it is true that Article 23 of the GDPR allows Member States to restrict by way of a legislative measure the scope of the obligations and rights provided for, inter alia, in Article 15 of that regulation.
87 However, it is not apparent from the order for reference that Pankki S’s activity is subject to such legislation.
88 As regards, secondly, the fact that J.M. was both a customer and an employee of Pankki S, it should be noted that, having regard not only to the objectives of the GDPR but also to the scope of the data subject’s right of access, as recalled in paragraphs 49 and 55 to 59 above, the context in which that data subject requests access to the information referred to in Article 15(1) of the GDPR cannot have any influence on the scope of that right.
89 Consequently, Article 15(1) of the GDPR must be interpreted as meaning that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his or her capacity as a customer of the controller was also an employee of that controller, in principle, has no effect on the scope of the right of access conferred on that data subject by that provision.
Costs
90 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (First Chamber) hereby rules:
1. Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Article 99(2) of that regulation,
must be interpreted as meaning that it is applicable to a request for access to the information referred to in that provision where the processing operations which that request concerns were carried out before the date on which that regulation became applicable, but the request was submitted after that date.
2. Article 15(1) of Regulation 2016/679
must be interpreted as meaning that information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller under that provision. On the other hand, that provision does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the person concerned effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account.
3. Article 15(1) of Regulation 2016/679
must be interpreted as meaning that the fact that the controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his or her capacity as a customer of the controller was also an employee of that controller has, in principle, no effect on the scope of the right of access conferred on that data subject by that provision.
[Signatures]
* Language of the case: Finnish.