The CJEU has recently ruled on a matter where an individual (who worked for and was a customer of a Finnish bank) made a subject access request to his employer asking for, amongst other things, the name of employees who had accessed and processed his personal data, who he deemed to be recipients of the data under Article 15 of the GDPR. His employer refused to provide the names on the basis that they did not form part of his personal data.
The data subject (unsatisfied with the approach of the Finnish regulator) brought a claim in the Finnish courts, which was escalated to the Court of Justice of the European Union (CJEU) for a preliminary ruling. The CJEU held that personal data includes information generated during processing, such as access logs (and the dates and purposes of the access) and so it may be that such information should be disclosed to the individual. However, the court caveated this by saying that under the GDPR, receiving such data is not an absolute right and the identity of the employees should not be provided unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him or her by the GDPR and provided that the rights and freedoms of those employees are taken into account.
Furthermore, the CJEU concluded that the employees who had accessed/processed the individual’s data are not deemed to be recipients of the data as they processed the data under the controller’s instructions.
The case report can be found here.
If you would like to receive online or in person training on data subject rights requests and how to respond to these, please contact our team at firstname.lastname@example.org