GDPR

Access to log files under the GDPR: are you allowed to know which employee has viewed your file?

Joris Deene
1 month ago
180 views
6 minutes reading time

The right of access is one of the cornerstones of the General Data Protection Regulation (GDPR). Many citizens wonder how far this right extends: as a data subject, can you demand that an organization, such as a government agency or bank, disclose exactly which specific employee has accessed your file and at what time? The answer is nuanced. Although you have the right to access the processing history (log files), the Court of Justice of the European Union ruled in a ruling of 3 December 2025 (Cases T-318/24 and T-362/24) that this does not automatically mean that you will be given the names of individual employees.

The facts and context

This legal issue was addressed in a case before the General Court of the European Union (hereinafter: the General Court) between a job applicant and the European Personnel Selection Office (EPSO).

The applicant, who had participated in various selection procedures, submitted a request for access based on Regulation (EU) 2018/1725. This is a specific regulation for EU institutions, which is virtually identical in content to the general GDPR that applies to Belgian companies and public authorities.

Among other things, the applicant demanded full access to the “log files” of his profile. He wanted to know not only when his file had been consulted, but also by whom (the identity of the EPSO staff members) and for what specific purpose. EPSO refused to disclose the names of the staff members, citing the protection of their rights and freedoms. In addition, the applicant demanded the “restoration” of data that EPSO had deleted after a retention period of two years.

The decision of the General Court

The General Court upheld the European Commission's (responsible for EPSO) position on all counts and dismissed the applicant's claims..

1. No automatic right to employee names

The Court referred to the earlier Pankki S judgment of the Court of Justice. It ruled that employees who process personal data under the authority of their employer are not considered “recipients” of that data within the meaning of data protection law. Although log files contain useful information about the lawfulness of the processing, the interest of the data subject in knowing the identity of the employee does not generally outweigh the rights and freedoms of those employees. Unless this information is essential for the data subject to exercise their rights (e.g., in the case of a concrete suspicion of abuse), the controller is not required to disclose the names of its staff.

2. Deletion is permanent

The Court confirmed that the deletion of data after the expiry of the retention period constitutes lawful processing. Data protection law does not recognize a “right to restoration” of lawfully deleted data.

3. Access to data, not documents

Finally, the Court reiterated that the right of access relates to the personal data itself, and not to the documents (such as internal notes, chats, or emails) as such. If the controller claims that certain data does not exist, there is a presumption of lawfulness that the applicant must rebut with evidence.

Legal analysis and interpretation

Thisruling confirms the consistent line in European case law on the balance between the right of access (Article 15 GDPR / Article 17 Regulation 2018/1725) and the rights of third parties.

The key point is the interpretation of the term ‘recipient’.. The legislation requires organizations to be transparent about the recipients to whom data is provided. However, internal staff acting under the instructions of the controller do not legally qualify as ‘recipients’ (third parties), but as an extension of the organization itself.

This is of great importance in practice. An unlimited right to access information about who clicks on which file internally could lead to the “naming and shaming” of employees or civil servants who are simply doing their job. The Court applies a proportionality test here:

  • The log files must show the frequency and intensity of the consultations (so that citizens can check whether this is abnormal).
  • The identity of the person seeking advice remains confidential, unless the citizen can demonstrate that this information is necessary for legal proceedings (e.g., in the case of a complaint about unlawful access by an ex-partner who works for the service).

Furthermore, the ruling emphasizes the importance of data minimization and storage limitation. The fact that EPSO deleted data after two years was not considered a violation, but rather compliance with Article 4(1)(e) (storage limitation) and Article 19 (erasure). The applicant's argument that this deletion was “unlawful” because he still needed the data was rejected. An organization may and must erase data when the need for processing ceases to exist.

What this specifically means

The impact of this ruling extends beyond EU institutions; the principles are directly applicable to the Belgian private and public sectors under the GDPR.

  • For the citizen (data subject): You have the right to know when your file has been accessed and why. However, do not expect to receive a list of names of individual bank employees, nurses, or civil servants as a matter of course. You will have to demonstrate why you need those specific names in order to defend your rights.
  • For employers and organizations: You are required to keep log files (“logging”) in order to demonstrate the security and legitimacy of the processing (accountability). However, in the event of a request for access, you may anonymize or redact the names of your employees, unless there are exceptional circumstances. This protects your staff from unnecessary exposure.
  • Regarding internal communication: A request for access is not a ‘fishing expedition’ for internal emails or Teams chats. You only need to provide the personal data from those documents, not the documents themselves, unless they are inextricably linked.

FAQ: Frequently asked questions

Am I entitled to a list of names of everyone who has viewed my file?
No, in principle not. You have the right to access the processing activities (times, purposes), but the specific names of employees who performed their work are usually protected to safeguard their privacy, unless you can prove that you need these names for legal proceedings.

Can I demand that an organization restore my deleted data?
No. If an organization has deleted your data in accordance with their retention periods (retention policy), this is a lawful action. The GDPR does not recognize a “right to restoration” of correctly deleted data.

Does this also apply to internal memos and chat sessions about me?
The right of access gives you access to your personal data, not necessarily to the internal documents themselves. An organization can suffice with an overview of the processed data, without handing over copies of all internal chats or minutes, as long as you can verify that the data is correct.

Conclusion

The recent ruling in the case WS against the European Commission confirms that data protection law is not an absolute right, but must always be balanced against the rights of others, including employees of the processing organization. Transparency is mandatory, but complete openness about internal personnel actions is not, unless there are valid reasons for it.

Are you involved in a dispute about the processing of your personal data or are you faced with a complex request for access? Our attorneys, who specialize in data protection and GDPR compliance, are ready to analyze your case and defend your interests. Feel free to contact us for initial advice.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics