Right of access and copy - Clarification regarding the answer to be provided by the employer

In a recent decision, the Data Protection Authority (DPA) recalled the importance of the right of access. The data subject’s right of access is an essential provision in the data protection legislation, since it constitutes the “gateway” for exercising the other rights conferred by the GDPR. Although the DPA recognises that the right of access is not absolute, it cannot simply give way to the rights and freedoms of others in such a way that any right of access is refused.

The facts

An employee was working in a company, active in the computer consulting sector. The employee concerned submitted a request to his employer to exercise his right to access and/or copy regarding all the personal data collected about him. In his view, the answer provided by his employer was insufficient. He therefore lodged a complaint with the DPA. In his complaint, the employee also raised the fact that the company took photos of its employees at company events and then published them on the company’s intranet without their consent.

Decision of the DPA’s dispute chamber

The DPA clarifies the level of accuracy of the response to be provided by the employer as regards the request for the right of access and/or copy of the data subject, in particular when these rights conflict with the rights and freedoms of others. According to the DPA, the balancing of the right of access and/or copy with the rights and freedoms of others may not lead to the refusal of any communication of information to the data subject.

First of all, the DPA sets out the three principles listed in Article 15 of the GDPR:

  • the data subject has the right to obtain confirmation from the controller whether or not personal data are being processed;
  • if this is the case, the data subject has the right to gain access to these data as well as to the information listed in Article 15.1 a) – h) of the GDPR;
  • the data subject has the right to obtain a free copy of his personal data.

The DPA then determines the extent to which the requirements of the right of access/copy can be met and its limitations through certain types of personal data:

1. Right of access to notes or comments in the human resources file

The DPA acknowledges the existence of a limitation to the right of access and/or copy, which may not infringe the rights and freedoms of others. However, the risk of infringing the personal data (the notes) of the former hierarchical superiors and the employee’s human resources manager, an argument relied on by the employer, is not sufficient to lead to any refusal to communicate information to the data subject.

Indeed, the DPA states that it is possible to meet the requirements of the right of access and its limits by anonymising the data of third parties mentioned in the notes or comments.

In the present case, violation by the employer of Article 15.1 and 15.3 of the GDPR.

2. Right of access to IT logs

The DPA recommends in the first place the keeping of a log register in order to guarantee the effectiveness of the protection of personal data.

The risk invoked by the employer of infringing the right to privacy of the authors of IT logs by granting the employee’s request for the right to access cannot lead to refusal. Thus, in the same way as for the right of access to notes or comments in the human resources file, preference should be given to the rule of anonymisation, in the present case of the personal data of the authors of IT logs, in order to meet the requirements of the right of access and its limits.

On the other hand, the DPA acknowledges in support of a judgment of the ECJ that a balance must be struck between the exercise of the employee’s right of access and the burden that the obligation to comply with this right of access would represent (second argument invoked by the employer).

To the extent that a systematic search of all IT logs relating to an employee would involve a disproportionate workload, the employer may refuse on that basis the employee's right of access to the IT logs.

In other words, to grant this request of the complainant would impose a disproportionate obligation on the employer in the interest of the complainant to exercise his right to data protection.

In the present case, no violation by the employer of Article 15.1 of the GDPR.

3. Request a copy of e-mails

The DPA emphasises that the fact that an employee has access to e-mails at the time of his request does not prejudice his right to obtain a copy, so that the employer is not exempted from its obligation for that reason (first argument invoked by the employer). Furthermore, regarding the risk invoked by the employer of infringing the right to privacy of other senders or recipients in the e-mails (second argument of the employer), it is again possible to anonymise the personal data of other recipients or senders of the e-mails.

The allegation of business secrecy as a justification for refusing to grant the request for a copy of an employee’s e-mails can be upheld. The DPA stated that, although business secrecy should be interpreted restrictively where it constitutes a limitation on the fundamental right of data protection, in the present case it considered that, in view of the potentially sensitive information in the e-mails in question, the risk to the employer’s business secrecy was sufficiently demonstrated. The DPA points out that in another case, where this risk was not demonstrated, the data concerning third parties should be anonymised so as not to infringe the rights of third parties. In the present case, there was no violation by the employer of Article 15.3 of the GDPR.

Right to an image

As a preliminary remark, it is important to note that in this decision, the DPA only addresses the right to an image.

When an employee invokes his right to an image, in relation to photos taken during events as in the present case, he is required to clearly specify whether or not the photos are targeted. Indeed, only the taking and distribution of targeted photos require a legal basis such as consent. However, in the present case, the employee did not prove the existence and/or distribution of targeted photos of himself, nor did he indicate that such photos had been taken at company events organised by the employer.

Moreover, the DPA points out that, in the present case, the employer invited the employees who did not want their photos to be registered or distributed on the intranet to contact the DPR (Data Protection Representative) so that the latter would undertake to delete them.

In the present case, there was no violation by the employer of the right to image.

Action point

We see more cases where (former) employees exercise their right to access and/or copy the personal data processed about them and make a request to the employer in this respect. This DPA decision is interesting as it gives indications on how the employer must respond following such request.

If you consider that, by granting an employee’s request for access and/or copy of his personal data, you risk infringing the rights and freedoms of others, ensure that the personal data of these third parties are made anonymous in order to meet the requirements of the right of access and its limits. It is also possible, as an employer, to deny the right of access in the event that the employer can prove the risk of a breach of business secrecy (e.g. in case of potentially sensitive information). An employee’s request for access can also be denied in case this would imply a disproportionate workload for an employer (e.g., systematic search of all IT logs).

Also make sure that you always obtain prior consent from your employees when publishing or distributing targeted photos.