Employee right of access: lever or drift?

The right to access personal data, a fundamental principle of the GDPR, seems to be becoming a strategic tool for employees in dispute with their employer. Frequently invoked in response to a dismissal, it makes it possible to obtain evidence, to destabilize the employer and to exert pressure in negotiations, especially when the company is not in compliance with the GDPR. Faced with this practice, some French and European judges are questioning the need to limit this use and to create new conditions in order to avoid abuses and protect employers.

‍

A right used beyond its original purpose

‍

The right of access, a key principle of the GDPR, allows everyone to know whether their personal data is being processed, to access it and to verify its legality. The exercise of this right does not require any justification, as the CJEU recently recalled, including when the request pursues an objective other than the original purposes of the GDPR (CJEU, C-307/22, 26 October 2023). This means that employees can freely invoke this right, thus requiring the employer to respond to it without the possibility of limiting or denying access.

‍

Safeguards already provided for in texts and in practice

‍

While the right to access personal data does not have to be motivated, it is not absolute.

‍

The GDPR already includes restrictions for protect the rights and freedoms of others, such as business secrecy, confidentiality of exchanges and private correspondence and allow data controllers to refuse to respond to requests “clearly unfounded or excessive” ” in particular because of their repetitive nature.

‍

Some foreign jurisdictions are beginning to use these limits. Two recent foreign decisions illustrate this evolution:

‍

- A request for the right of access to an insurer to obtain information in order to dispute premiums was considered outside the scope of the right of access. The insurer was thus able to legitimately refuse to respond to the request of its insured to obtain the requested information (Hamm Court of Appeal, Germany, May 3, 2023)

‍

- A former employee could not obtain the communication of emails and statements concerning him related to an ongoing dispute because company secrecy and the confidentiality of exchanges prevailed over his right of access (Austrian Federal Administrative Court, July 8, 2024)

‍

This trend in case law could mark a turning point by limiting the use of the right of access when it is diverted from its initial objective.

‍

‍The particular case of requests to access all emails

‍

As part of the third edition of the coordinated action of the European Data Protection Board (CEF 2024), the CNIL and its counterparts carried out checks on public and private bodies in order to assess the implementation of the right of access. These investigations have shown that many organizations provide a partial response to requests, especially when they concern all the data held.

‍

Faced with this observation, in January, the CNIL updated its recommendations to support companies in managing massive requests. access to employee emails. In particular, she recommends providing a summary table of emails sent or received, without disclosing the full content. In addition, when data extraction represents a disproportionate burden for the employer, the CNIL establishes the practice of requesting details from the employee before responding to it.

‍

A recent decision illustrates this pragmatic approach: French judges considered that an employer does not have to provide all the emails of a dismissed employee if his inbox has been deleted, in accordance with the company's data retention policy (Paris Court of Appeal, May 12, 2022).

‍

What can we learn from these developments?

‍

To reconcile compliance with the GDPR and the preservation of company interests, employers have every interest in adopting clear organizational measures. We recommend the following:

- Define a policy for the conservation and deletion of personal data, in particular professional emails, by setting a specific duration after the departure of an employee.

- Establish a structured internal process to effectively manage access requests and ensure compliance with regulatory deadlines.

- Supervise the use of the right of access in litigation by offering the labour court to question the employee about the purpose of his request for access, in order to be able to demonstrate a possible abuse of rights.

‍

These measures will thus allow companies to meet their legal obligations while limiting the risks associated with requests that are diverted from their initial objective.

For any questions or support, do not hesitate to contact us by writing to cbeaussier@squairlaw.com.

‍

Clémentine Beaussier, partner lawyer at Squair