European Union: Issued CJEU ruling in lawsuit involving the right to know the date of and the reasons for the consultation of his or her personal data (Apulaistietosuojavaltuutettu v Pankki S/ Case C-579/21)

On 22 June 2023, the European Court of Justice (CJEU) issued its ruling in a lawsuit involving the right of an individual to know the date of and the reasons for the consultation of his or her personal data based on Article 15 of General Data Protection Regulation (GDPR), in the case Apulaistietosuojavaltuutettu v Pankki S, Case C-579/21. The CJEU ruled that individuals have the right to know when and why their personal data is accessed, regardless of whether the data controller is a bank. In this case, an employee/customer discovered unauthorized access to their data and requested information on the identity of the employees involved, the dates of access, and the purposes. While the CJEU recognized the right to access information about data consultations, it stated that disclosing employee identities depends on the necessity for the effective exercise of rights and respecting employee rights. The nature of the controller being a bank and the employee's dual role didn't affect the data subject's right to access their data.