Opinion of Advocate General Campos Sánchez-Bordona delivered on 15 December 2022.

• Jurisdiction: European Union
• ECLI: ECLI:EU:C:2022:1001
• Date: 15 December 2022
• Celex Number: 62021CC0579
• Court: Court of Justice (European Union)

Provisional text

OPINION OF ADVOCATE GENERAL

CAMPOS SÁNCHEZ-BORDONA

delivered on 15 December 2022 (1)

Case C‑579/21

J.M.

intervener:

Apulaistietosuojavaltuutettu,

Pankki S

(Request for a preliminary ruling from the Itä-Suomen hallinto-oikeus (Administrative Court of Eastern Finland, Finland))

(Reference for a preliminary ruling – Processing of personal data – Regulation (EU) 2016/679 – User log data – Right of access – Definition of personal data – Definition of recipient – Personnel in the department responsible for processing)

1. An employee who was also a customer of a financial institution requested the latter to tell him the identity of the persons who had consulted his personal data in the context of an internal investigation. Following the refusal of the institution to provide him with that information, the applicant used the appropriate means of appeal which ultimately led to him bringing an action before the Itä-Suomen hallinto-oikeus (Administrative Court of Eastern Finland, Finland).

2. That court has made a reference to the Court of Justice for a preliminary ruling on the interpretation of Regulation (EU) 2016/679. (2) In answering the questions referred, the Court of Justice will have to rule on the right of the data subject to access certain information relating to the processing of his or her personal data.

I. Legislative framework

A. European Union law. The GDPR

3. Recital 11 states:

‘Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.’

4. Article 4, entitled ‘Definitions’, states:

‘For the purpose of this Regulation, the following definitions shall apply:

(1) “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

…

(9) “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. …’

5. Article 15, entitled ‘Right of access of the data subject’, provides in paragraph 1 thereof:

‘The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.’

6. According to Article 24, entitled, ‘Responsibility of the controller’, paragraph 1 thereof states:

‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.’

7. According to Article 25, headed ‘Data protection by design and by default’, paragraph 2 thereof provides:

‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.’

8. Article 29, entitled ‘Processing under the authority of the controller and processor’, states:

‘The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law’.

9. Article 30, entitled ‘Records of processing activities’, provides:

‘1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

…

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2. Each processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, the categories of transfers of personal data to a third country or an international organisation;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 30(1).

3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4. The controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request.

5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data … Or personal data relating to criminal convictions and offences …’

10. According to Article 58, entitled ‘Powers’, paragraph 1 thereof states:

‘Each supervisory authority shall have all of the following investigative powers:

(a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

…’

B. National law

1. Tietosuojalaki (1050/2018)(3)

11. According to Paragraph 30, the provisions concerning the processing of employees’ personal data, the tests and checks to be carried out on employees, the requirements to be met for that purpose, as well as those concerning technical surveillance at the workplace and access to and opening of an employee’s emails are laid down in the Laki yksityisyyden suojasta työelämässä (759/2004). (4)

12. Under Paragraph 34(1), the data subject does not have a right of access to the data collected concerning him or her within the meaning of Article 15 of the GDPR, in so far as:

(1) the provision of the data is likely to endanger national security, defence, public security and public policy or the prevention and investigation of criminal offences;

(2) the provision of the data could pose a serious risk to the health or care of the data subject or to the rights of the data subject or a third party; or

(3) the personal data are used in supervisory and control activities and the withholding of the data is necessary for the protection of an important economic or financial interest of Finland or the European Union.

13. Pursuant to Paragraph 34(2), where only part of the...