GDPR access right : How can employees recover their company-held personal data ?
As GDPR implications slowly creep into employment law, the employee’s access right have recently been clarified by the French data protection authority (CNIL).
What is the GDPR access right ?
Very much linked to its rectification (1) and erasure (2) counterparts, the right of access guarantees three elements (3).
Firstly, it allows any person to know whether data concerning him or her are being processed. Secondly, it ensures the communication of this data to the concerned person, and allows him or her to rectify or erase any error. Finally, the communicating entity must also be able to provide several bits of related information, such as which other entities accessed the data, the data processing purposes, or the categories of processed data.
Now, as one can imagine, companies usually collect large amounts of data on their employees.
How can employees exercise their access right towards a company ? (4)
- Exercising the right of access is free of charge
Similarly to any data subject, the aforementioned requests cannot be charged to an employee or ex-employee. A reasonable fee might however be authorized in exceptional situations, such as the request of an extra copy.
2. The data subject’s identity can and should be verified
Should the company have reasonable doubts about the identity of the requesting person, it may ask for certain information to prove his or her identity. This step is actually heavily recommended, since giving access to someone else would constitute a data breach and engage the company’s liability.
Such a verification must however be limited to reasonably relevant and proportionate documents.
3. The access given cannot disproportionately infringe on the rights of others
This is the main limit of any access right. On a case-to-case basis, a balance must be struck between satisfying the request to its largest extent, and protecting the rights of third parties. Unsurprisingly, such rights can be numerous : right to privacy, secrecy of correspondence, IP and business secrets…
A thinner delimitation between these two principles has yet to be found, making incoming EU and national case-law all the more interesting to follow.
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, OJ L 119, 4.5.2016, p. 1–88, article 16
(2) ibidem, article 17
(3) Ibid, article 5 paragraph 1
(4) ibid, article 15 paragraph 3 ; CNIL, january 5th 2020, “Le droit d’accès des salariés à leurs données et aux courriels professionnels”, cnil.fr