On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR. The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.
First Case (C-487/21)
The claimant requested from a consulting agency a copy of his personal data. The agency provided to the claimant the requested information in an aggregated form, without transmitting any emails or database extracts in which the data was found. The claimant brought a complaint before the Austrian Supervisory Authority alleging that the agency should have provided a copy of all documents, including emails or database extracts containing the personal data. The Supervisory Authority dismissed the claim, denying that there was an infringement of the GDPR right of access.
The claimant appealed to the Austrian courts. The relevant Austrian tribunal asked the CJEU whether the right to be obtain a copy of personal data undergoing processing, pursuant to Article 15(3), must be interpreted narrowly in accordance Article 15(1), or whether it confers a separate right to receive a copy of information, which would include copies of documents or database extracts in which personal data are processed.
The AG opined, among other things, the following in relation to the right of access:
- A “copy of personal data”, as per Article 15(3) GDPR, is a faithful, “word-for-word” reproduction of that data and must be presented in an intelligible form to enable the data subject to exercise the right of access to the personal data. The exact form of the copy is to be determined on a case-by-case basis, considering the circumstances of the case.
- The term “information”, within Article 15(3) GDPR, refers to the information in points 15(a) to (h) GDPR, in relation to the personal data undergoing processing. As such, it does not extend to metadata on the processing of personal data, which would expand the right of access contained in the GDPR.
According to the AG:
- Article 15(1) sets out the subject matter and scope of the right of access, whereby the data subject can enquire as to whether or not their personal data is processed, and if so, obtain information, mentioned in points (a) to (h) of Article 15 GDPR; and
- Article 15(3) GDPR prescribes the form in which the controller must make available the personal data, most notably, in the form of a copy. As such, the right to obtain a copy of personal data is not an independent right, but rather must be read in light of the purpose of the right of access, which is to enable the data subject to exercise additional rights enshrined in the GDPR (e.g., right to rectification, right to erasure, right to object).
The AG states that Article 15(3) GDPR does not grant a “general right of access” to information, such as a full copy of the document that contains personal data, or an extract from a database. However, the AG finds that this does not mean that the controller should not provide documents or extracts from databases containing personal data, where it would be necessary to ensure that the personal data is intelligible, as per Article 15(3) GDPR. However, in these circumstances, the right to obtain a copy of personal data is limited, and should not adversely affect the rights and freedoms of others, which includes the protection of trade secrets and intellectual property rights. As such, data controllers must conduct a balancing act, where there is a conflict between the access to personal data and third-party rights, and select the approach that is most protective of the competing rights at stake.
Second Case (C‑579/21)
This case concerns an employee at a bank, who sought the identity and the positions of the bank’s employees who considered his personal data during an internal investigation. The bank refused to provide the claimant with the requested information, which led the claimant to bring the matter before the Finish Supervisory Authority. The Supervisory Authority rejected the claim and the case was appealed to the EU courts.
Firstly, the AG draws a distinction between information that constitutes personal data and information merely concerning the processing of the personal data (e.g., purpose of processing and subject matter). The AG states that the information requested by the claimant concerns only the processing operations and not the claimant’s personal data, pursuant to Article 4(1) GDPR. As a result, the claimant cannot obtain the information regarding the bank’s employees.
In addition, the AG notes that, where an employee acts under the “direct authority” of their employer, he/she will not be classified as a “recipient” of personal data (as per Article 15(1)(c) GDPR), and such that their identities do not have to be disclosed to the claimant as a matter of transparency. However, this is not the case for employees who act outside the instructions of the controller, and who would be regarded, in their own right, as recipients and controllers of the personal data.
The AG opines that the claimant’s interest in the identity of the employees who process the personal data needs to be balanced with (i) the controller’s interest in safeguarding the identity of the employees and (ii) the employees’ protection of their own personal data. The AG considered that only where there are sufficient doubts about the lawfulness of the actions of the controller’s employees, can the Supervisory Authority decide to disclose their identity.
As a final point, the AG reiterates that the GDPR does not provide a data subject with a right to learn the identity of employees who process personal data while employed by the controller. However, this does not preclude Member States from adopting sectoral rules calling for the disclosure of the identity of a controller’s employees. For example, as mentioned in the oral hearing, Finland provides for such a disclosure, in particular, with regards to health data.
* * *
The AG’s opinion is not binding on the CJEU, but can be influential and is often followed. The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.