In its activity report for the year 2020, the French National Data Protection Commission (CNPD) indicated that, among the requests it had received during the year, a large number "concerned the exercise of data subjects' rights, in particular the right of access to personal data". The overall observation is that "citizens are making greater use of the rights granted by the RGPD[1] and that data protection continues to be a major concern".
Employers can also attest to this trend, given the upsurge in access requests from employees (and even former employees) since the RGPD came into force, mainly when the employment relationship takes a contentious turn.
Given the complexity of the regime applicable to the right of access and the heavy penalty[2] system provided for by the regulations in this respect, all employers should ensure that they are familiar with both the concepts on which the right of access is based and its scope.
This study, which does not constitute an exhaustive legal analysis of the right of access regime, is intended to provide employers with some useful ideas for handling access requests in accordance with the requirements of the RGPD.
i. Scope of the right of access enshrined in Article 15 of the RGPD
The data subject's right of access to personal data concerning him or her is not a new right.
Article 8 of the Charter of Fundamental Rights of the European Union[3] states that "Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified".
In Luxembourg, the amended law of 2 August 2002[4], now repealed, also provided for a right of access by the data subject to personal data concerning him or her, as well as to a series of items of information about the way in which such data was processed.
Since 25 May 2018, it is on the basis of Article 15 of the RGPD that employees can demand access to personal data that the employer is required to process in the context of the employment relationship.
a. Content of the right of access
If an employer receives a request for access on the basis of Article 15 of the RGPD, it is obliged to inform the employee whether or not personal data concerning the latter is being processed and, if such data is being processed (this will always be the case in the context of an employment relationship), it must:
1. provide the employee with access to the data (this may involve online access, for example via a link to an HR database),
2. provide the data subject with a certain amount of information about the processing carried out, including the categories of data processed and recipients, the purposes of the processing, how long the data will be kept and, in the event of data being transferred outside the European Economic Area, details of the appropriate safeguards put in place, etc,
3. provide it with a copy of the data concerned.
In addition, the employer is obliged to respond to the request for access within one month of receipt of the request.
Only if it can establish the complexity or large volume of requests to be processed will it be able to take advantage of an additional two-month period, provided that it informs the employee of the reasons for this extension within one month of receiving the request.
The regulations do not impose any particular form for the request for access, so the employee is free to formulate it in the terms of his or her choice.
Nor are employees obliged to specify the legal basis for their request for access.
However, the RGPD is not the only regulation to provide for a right of access[5], and it is the employer's responsibility to apply the appropriate legal regime in order to ensure that it meets its obligations.
The scope of the employee's right will vary depending on whether or not the request for access is based on Article 15 of the RGPD.
b. Scope of the right of access
It is not uncommon for employees to invoke Article 15 of the GDPR in disputes to demand access to professional documentation (e.g. professional correspondence) or to information concerning other employees of the company.
It is therefore essential for the employer to be able to determine which information falls within the scope of the right of access and which does not.
In this case, the right of access is limited to personal data concerning the employee and which is being processed.
- Personal data being processed
The right of access applies only to personal data within the meaning of the regulations.
This means that only information that directly or indirectly identifies the data subject (in this case, the employee), "in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity[6]", is covered.
Employers should be aware that the right of access extends to all the personal data they are processing at the time the request for access is made, which therefore necessarily includes :
- archived data (as a reminder, data storage constitutes a processing operation),
- data which does not, on its own, enable the employee to be identified directly (e.g. voice recordings, the IP address of his or her work computer, the registration number of his or her company car, etc.)
- data whose processing has been entrusted to a sub-contractor (e.g. data entrusted to the fiduciary responsible for payroll management).
Anonymised data and data no longer in the employer's possession at the time the request is made are logically excluded from the right of access, since in the first case they are no longer personal data as it is no longer materially possible to link them to the employee, and in the second case the data are no longer processed by the employer.
- Data concerning the employee
By invoking Article 15 of the RGPD, the employee can only request access to personal data concerning him or her, which, despite appearances, is not always easy to determine, particularly when the data also concerns other people (e.g. colleagues, customers, etc.).
The Article 29[7] Working Party has specified that "data relates to an individual if it relates to the identity, characteristics or behaviour of an individual or if that information is used to determine or influence the way in which that individual is treated or evaluated[8]".
In order to assess whether or not a piece of data concerns an individual, it is necessary to examine (alternatively, and not cumulatively) whether, by virtue of its content, purpose or the result it produces, a piece of information is linked to that individual.
For example, the following may constitute personal data concerning an employee
o references to the employee's first and last names in the minutes of a meeting, since this information reveals the employee's identity (content),
o bank details that the employer collects in order to pay the employee's monthly salary (purpose); or
o the appraisal notes of the employee's line manager, which the employer uses as a basis for deciding whether or not to grant the employee a pay rise (result).
On the basis of these criteria, a case-by-case analysis will determine whether the data falls within the scope of the right of access under Article 15 of the RGPD.
- Data concerning other persons
According to the EDPB, the mere fact that data relating to the employee may also concern other persons does not automatically exclude them from the scope of the right of access.
The Court of Justice of the European Union (CJEU) has already had occasion to take a position in a case[9] which, although it was handed down on the basis of the Directive[10] repealed by the RGPD, proposes an analysis grid that remains relevant.
In this case, the candidate in an accountancy exam, in which he had failed, was refused access to his exam paper on the grounds, according to the Irish Data Protection Commissioner, that "in general, exam papers are not examined [for data protection purposes] [...] because, in general, these documents do not constitute personal data".
On this point, the CJEU first established that, by virtue of their content, purpose and result, the information contained in the examination paper was linked to the candidate's person, and was therefore to be classified as personal data concerning him or her.
The Court went on to state that this classification was not called into question by the fact that the information contained in the examination paper also concerned the examiner.
In this case, the information concerning the examiner concerned the annotations relating to the candidate's answers and, insofar as these annotations materialised the assessment of the candidate's knowledge and justified his mark, the Court considered that this information also concerned him and that he could therefore claim access to it.
It can therefore be deduced that a contrario, if the content, purpose or result of a piece of information has no connection with the employee, the latter will not be able to avail himself of the right of access.
Thus, an employer faced with a request for access to professional correspondence may consider that messages which, in view of their content, purpose or result, do not concern the employee (e.g. the correspondence contains no information intended to evaluate his behavior, to decide whether or not to grant his promotion, etc.), do not fall within the scope of the right of access.
The right of access was designed to guarantee effective protection for individuals with regard to the processing of their personal data, which is a fundamental right.
Indeed, access to one's data enables any data subject to find out how and for what purposes it is used, and on this basis (and depending on the circumstances) to guard against any data processing that is unlawful or prejudicial to his or her interests (notably by objecting to it, demanding the rectification or deletion of erroneous or obsolete data, etc.).
The protection it confers on individuals explains why the right of access can only be restricted or limited in cases that are exhaustively listed by the regulations.
I. Restrictions and limits on the right of access
In spite of the associated purpose, in the context of the employment relationship, the right of access is most often exercised by employees wishing to gather evidence in anticipation of litigation, or to exert pressure on the employer in the context of settlement negotiations.
However, unless the employer can demonstrate that there is a risk of infringement of the rights and freedoms of others, or that the request is manifestly unfounded or excessive, there is no legal basis for denying the employee access to his or her personal data.
a. Protecting the rights and freedoms of others
Having identified the data that actually falls within the scope of Article 15 of the RGPD (see above), the employer will still need to ensure that their communication to the employee does not infringe the rights and freedoms of others.
This analysis phase may prove extremely complex in practice insofar as it requires the employer to be able to weigh up the rights and interests of the various people concerned.
- Notion of the rights and freedoms of others
Communication of the copy of personal data concerning the employee must be compatible with respect for the rights and freedoms of others (Article 15(4) of the RGPD). These may be the rights and freedoms of the employer itself, other employees, or even any other third parties (customers, suppliers, etc.).
The protection only covers rights and freedoms that are recognized by Union law or national legislation, so the employer will need to ensure that it has solid legal references if it intends to avail itself of this provision.
For example, this may involve not communicating information that could infringe on the employer's business or manufacturing secrets, or on other employees' right to privacy, or even on professional secrecy, which precludes the communication of information relating to the company's customers.
- Scope of the restriction linked to the rights and freedoms of others
The restriction on the right of access linked to the protection of the rights and freedoms of others refers only to the obligation to communicate the copy of the data (Article 15 (4) of the RGPD).
Consequently, this argument cannot be used to defeat the other obligations imposed on the employer under Article 15 of the RGPD which include, among others, the obligation to confirm the existence of processing operations or, alternatively, to communicate relevant information relating to the processing operations carried out (i.e. categories of data and recipients, purposes of the processing operations, appropriate safeguards in the event of transfers outside the EEA, etc.).
This nuance is essential, as the restriction linked to the rights and freedoms of others cannot serve as a valid legal basis for rejecting a request for access in its entirety.
- Concrete analysis of the risk of infringement of the rights and freedoms of others
The employer cannot simply invoke this restriction without demonstrating how communicating a copy of the personal data to the employee would concretely infringe the rights and freedoms of others.
A case-by-case analysis of the negative impact that communication of the copy could have on the rights and freedoms of others will be required. To this end, the employer will need to assess the likelihood that the rights and freedoms of others will be negatively impacted, and the seriousness that such an infringement would present for the person(s) concerned in the case in question.
The employer would also be well advised to document his analysis in anticipation of a possible complaint to a protection authority or legal challenge by the employee.
If it turns out that there is a real and concrete risk of infringement of the rights and freedoms of others, the employer will have to consider how to reconcile the various rights and interests involved.
One possibility to consider, for example, would be to exclude from the document to be communicated to the employee all information likely to prejudice the rights and freedoms of others. In this way, both the employee's right of access and the rights and freedoms of others would be respected.
Of course, if it is not materially possible to reconcile the rights and interests of the parties involved (e.g. communication of the document itself constitutes a breach of professional secrecy), communication of the copy of the data may be refused to the employee.
Any refusal by the employer to comply with a request for access will have to be based on proof that the request is manifestly unfounded or excessive (Article 12 (5) (b) of the GDPR).
a. Manifestly excessive and unfounded requests for access
The only exception to the right of access is provided by Article 12 of the GDPR, which authorizes the employer to refuse to comply with a manifestly unfounded or excessive request for access.
The difficulty lies in assessing whether such a request is manifestly unfounded or manifestly excessive. Here again, the employer is strongly advised to carry out a documented analysis of the case in question, so as to have a solid defense in case of any dispute over the interpretation of this derogation.
- Manifestly unfounded requests for access
The manifestly unfounded nature of a request for access will be established in extremely rare cases, due to the very nature of the right of access, the possibilities for restrictions of which are extremely limited.
According to the EDPB[11], an access request could be considered manifestly unfounded, for example, if it does not fall within the scope of Article 15 of the RGPD.
As a reminder, Article 15 only provides for a right of access to personal data that concerns the data subject and is processed by the data controller.
Thus, if the employee's request only relates to personal data that exclusively concerns his former line manager, for example, the request could be qualified as manifestly unfounded.
Similarly, if the employee requests access to data that the employer has destroyed before submitting the request, and therefore no longer processes[12], the request may be considered manifestly unfounded.
It is important to note that, in principle, the employer is not required to assess the purpose or relevance of the access request submitted to him, so that a request that is in fact motivated by the employee's desire to litigate should not automatically be considered manifestly unfounded.
- Manifestly excessive access requests
According to the EDPB's recommendations[13], the excessive nature of an access request should not automatically result from the fact that the data subject submits more than one access request, nor that he or she intends to use the data in the context of legal proceedings against the data controller.
Once again, data controllers are invited to carry out a case-by-case analysis, taking into account the specific nature of the request addressed to them.
In this case, the reasonableness of the interval between two access requests will vary depending on the nature of the relationship between the data controller and the data subject, but also with regard to the nature of the processing carried out.
In order to carry out this analysis, the employer may use the following indicators:
- frequency of modification or alteration of the data processed, where applicable,
- nature of the data (particularly if it is sensitive data),
- purposes of processing,
- purpose of access requests (depending on whether or not they relate to the same information or processing activities).
By way of illustration, an employee who demanded that his employer provide him with monthly access to the data used to manage his payroll would run the risk of being criticised for making excessive requests for access insofar as the nature of the data processed for this purpose is unlikely to vary from month to month.
According to the EDPB, abusive use of the right of access could constitute an excessive request.
Abuse of rights may arise in particular from the fact that an employee makes the withdrawal of his request for access conditional on the payment of financial compensation, or that his requests are motivated exclusively by the desire to cause dysfunction within the company. However, it is unlikely that, in practice, an employee will be so explicit about his or her real motives that the employer can easily build up evidence of such abuse.
It is not uncommon for an employee to make a request for access simply to gather the evidence he or she lacks to justify the claims he or she intends to make in court ("fishing expedition"). These requests, which are exclusively exploratory in nature, are generally indeterminate and therefore in principle concern all the data processed in the context of the employment relationship, which sometimes extends over several years.
Although, in view of the restrictive approach of the EDPB, the employer should not systematically invoke abuse of rights to reject such a request, it may, on the other hand, initially require the employee to provide the necessary details to facilitate processing.
Depending on the circumstances, the employee's reaction could be construed as an abuse of rights, particularly if it illustrates an intention to harm the employer.
Obviously, an analysis of the facts - and possibly recourse to legal expertise - will be essential, while mere confirmation that the request concerns all personal data will not in itself automatically constitute an abuse of rights.
III. Conclusion
Whether for the administrative management of staff (e.g. payroll, working hours, etc.) or for the operational management of the company (e.g. management of access to premises, of the fleet of company or company cars, etc.), the employment relationship involves, by its very nature, a large amount of processing of employees' personal data.
Dealing with access requests can therefore be a particularly laborious and resource-intensive exercise (in terms of human, organisational and financial resources). It also requires a rigorous capacity for analysis.
Setting up a governance system tailored to the specific characteristics of the company, the sector of activity and the resources available is a prerequisite for protecting the employer's interests.
In this respect, keeping a register of processing activities, drafting a privacy notice and implementing various policies (archiving, data retention and destruction, etc.) within the company will be key success factors.
[1] Author's note: the acronym "GDPR" refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[2] Violation of the data subject's right of access exposes the company to an administrative fine of up to 4% of the total annual worldwide turnover for the previous financial year.
[3] Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000 and made legally binding on 1 December 2009.
[4] Article 28 of the amended Act of 2 August 2002 on the protection of individuals with regard to the processing of personal data.
[5] See in particular Article L. 414-17 of the French Labour Code, which provides employees with a right of access to their personal files.
[6] Extract from Article 4 of the RGPD.
[7] Author's note: the Article 29 Working Party was replaced in 2018 by the European Data Protection Board ("EDPB"), an independent European body that contributes to the consistent application of data protection rules within the European Union and promotes cooperation between EU data protection authorities.
[8] See WP 136 Opinion 4/2007 on the concept of personal data.
[9] CJEU case C 434/16 of 20 December 2017.
[10] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
[11] Guidelines 01/2022 on data subject access rights - Right of access version 1.0 adopted on 18 January 2022, page 54 (the public consultation procedure for these recommendations is still underway at the time of publication of this article).
[12] For example, the extract from the criminal record given on recruitment, which most employers are obliged to destroy within a month of concluding the employment contract.
[13] Guidelines 01/2022 on data subject access rights - Right of access, page 54 (public consultation in progress at the time of publication of this article).