Art. 15 GDPR regulates an important right of data subjects. According to this right, a person can request information from the controller as to whether and which personal data about them is stored. This right to information also includes further information pursuant to Art. 15 (1) (a)–(h) GDPR, such as the purposes of processing. The origin of the data, and the recipients to whom the data is transmitted. This is intended to verify the legality of the data processing and, in a second step, to enable the targeted exercise of other rights. Such as the right to rectification, erasure, and the right to object Employees remain secret.
How far does the right to information extend?Employees remain secret
The scope of the information request under Art. 15 GDPR repeatedly raises questions, as it can involve considerable effort for the company. This is especially true when long-serving employees who are leaving the company express such a request. This is also the case in the following case.
An employee (and customer) of a Finnish financial institution requested information from his employer pursuant to Art. 15 GDPR – in particular, austria business fax list regarding the identity of the individuals who had received. His personal data as part of internal investigations. The investigations ultimately led to the employee’s dismissal, so he wanted to have the data reviewed. He suspected improper conduct by his (former) colleagues, whom he considered “recipients” of the data within the meaning of Art. 15 GDPR, and requested information, including their names and positions within the company.
Are employees “recipients” according to Art. 15 (1) (c) GDPR?
From the perspective of the General Court Sánchez-Bordona, this makes. It clear that employees who view personal data within the scope of their authority and. Where applicable, on the instructions of the controller are not to be understood as “third parties” and should not otherwise be categoriz as recipients. The General Court explains that in certain sectors of the economy. Employee data represents particularly sensitive data for security reasons. Employees in the banking sector, for example, remove redirect chains and internal redirects whose task is to prevent and combat financial crime. Could otherwise be exposed to attempted pressure or influence by third parties.
Furthermore, data subjects can generally only request information regarding their own personal data, and the rights and freedoms of others must not be affected as a result (Article 15 (4) GDPR). However, from the perspective of the data subject, the identity of employees constitutes personal data of third parties. Therefore, information about employees must not be disclosed.
Special feature: employee excess
In the case of employee abuse, the employee fails to adhere to the procedures established by the controller and, without authorization, unlawfully processes data from customers or even other employees. In such a case, botswana business directory this person is not acting on behalf of or in the name of the controller, meaning that the definition of a third party within the meaning of Art. 4 No. 10 GDPR does not apply. This could constitute unlawful disclosure of the data by the employee—in effect, to themselves—making them the recipient or even (independently) controller. Possible consequences could include claims for damages and other obligations under the GDPR.