IP case law Court of Justice

Referral C-579/21 (Pankki S, 22 Sep 2021)



Is the data subject’s right of access under Article 15(1) of the General Data Protection Regulation, 1 considered in conjunction with the [concept of] ‘personal data’ within the meaning of point 1 of Article 4 of that regulation, to be interpreted as meaning that information collected by the controller which indicates who processed the data subject’s personal data and when and for what purpose they were processed does not constitute information in respect of which the data subject has a right of access, in particular because it consists of data concerning the controller’s employees?

If Question 1 is answered in the affirmative and the data subject does not have a right of access to the information referred to in that question on the basis of Article 15(1) of the General Data Protection Regulation because it does not constitute ‘personal data’ of the data subject within the meaning of point 1 of Article 4 of the General Data Protection Regulation, it remains necessary in the present case to consider the information in respect of which the data subject does have a right of access in accordance with Article 15(1)[(a) to (h)]:

a. How is the purpose of processing within the meaning of Article 15(1)(a) to be interpreted in relation to the scope of the data subject’s right of access, that is to say, can the purpose of the processing give rise to a right of access to the user log data collected by the controller, such as information concerning personal data of the processors and the time and the purpose of the processing of the personal data?

b. In that context, can the persons who processed J.M.’s customer data be regarded, under certain criteria, as recipients of the personal data within the meaning of Article 15(1)(c) of the General Data Protection Regulation, in respect of whom the data subject would be entitled to obtain information?

Is the fact that the bank at issue performs a regulated activity or that J.M. was both an employee and a customer of the bank at the same time relevant to the present case?

Is the fact that J.M.’s data were processed before the entry into force of the General Data Protection Regulation relevant to the examination of the questions set out above?


Case details on the CJEU website (external link)


Disclaimer