Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Log in to CasePortal
Search Articles
Free Litigation Reports Find Judicial Opinions

Wednesday, April 23, 2025

View Back issues
Wednesday, April 23, 2025

Top EU court says data access rules apply to employers, too

The Finnish bank that refused to hand over information to an ex-employee ran afoul of personal data protection laws, a panel of judges found.

/ June 22, 2023
The European Court of Justice in Luxembourg, photographed on Oct. 5, 2015. (Geert Vanden Wijngaert/AP)

THE HAGUE, Netherlands (CN) — Even at work, everyone is entitled to know why and when their personal data was accessed under the EU’s data protection rules, the bloc’s highest court said Thursday.

The Administrative Court of Eastern Finland turned to the European Court of Justice for clarity after an ex-employee of Suur-Savon Osuuspankki complained that their ex-employer violated the General Data Protection Regulation by refusing to disclose who accessed their personal information.

“The fact that J.M. was both a customer and an employee of [Suur-Savon Osuuspankki]," the five-judge panel wrote, “cannot have any influence on the scope of [the right to access].”

Kept anonymous in court documents for privacy reasons, J.M. was also a customer at the regional bank in Eastern Finland. In 2014, J.M. discovered that other bank staff had accessed their personal data multiple times during two months of the previous year.

In 2018 J.M., who was no longer working for the financial institution, demanded more information about why the data had been accessed. The bank claimed it was part of an investigation by the company’s internal audit department into whether it had a conflict of interest with another client, but refused to hand over the names of staff who had conducted the research. According to Suur-Savon Osuuspankki, GDPR didn’t apply under these circumstances.

Dissatisfied with this response, J.M. filed a request with the Office of the Data Protection Supervisor in Finland to obtain the information. When that was denied, J.M. filed a complaint before the Administrative Court of Eastern Finland, which turned to the Luxembourg-based court for help.

The bank is considered a “controller” under the 2016 data protection legislation and therefore must adhere to the disclosure requirements set out in the GDPR. Since the information accessed was J.M.’s customer data, the fact that they were also employed by the bank is irrelevant.

However, the judges concluded that GDPR regulations don’t automatically require the bank to reveal the names of the employees who accessed the records, unless that information is “essential.” The judges advised the Finnish court that it must “strike a balance” between protecting the employees’ privacy and allowing J.M. access to his own data.

The case now returns to the Finnish court for a final resolution.

Follow @mollyquell
Categories / Employment, International

Subscribe to our free newsletters

Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.

Loading...