RGPD

Employees' right of access to their personal data and emails: what is at stake?

The right of access to personal data is a crucial issue in the digital age, particularly when it comes to upholding employees' rights within the company. Established by the GDPR, this right allows every individual, including employees, to access the personal information held by their

Contents
Schedule a discussion

Reading time:

6 min

The right of access to personal data is a crucial issue in the digital age, particularly when it comes to upholding employees' rights within the company. Established by the GDPR, this right allows every individual, including employees, to access the personal information their employer holds about them, as well as their professional emails.

Understanding what is at stake with this right is essential for both employees and employers, as it affects data management practices and the protection of privacy in the workplace. With this in mind, we will examine the various aspects of this right of access, its implications for employers, and how access requests must be handled. We will also address the resulting limits and obligations, while highlighting the essential role of the CNIL in regulating and protecting these rights.

If you would like to engage a GDPR lawyer, contact me!

1. What are employees' rights regarding personal data?

The right of access to personal data is fundamental and guarantees employees the ability to obtain information about the data concerning them. In accordance with the GDPR, every employee has the right to ask their employer to disclose the personal data held about them, including data contained in professional emails.

This request aims to enhance transparency within companies and to enable individuals to verify the accuracy of their data. Thus, when an employee exercises this right of access, they may:

  • Check whether personal data concerning them is being processed by the employer.
  • Obtain information about the categories of data collected.
  • Learn the purposes for which this data is used.
  • Request the rectification or erasure of inaccurate data.

It is important to stress that this right of access, while powerful, is not without restrictions. For example, the employer is required to verify the identity of the requester in order to protect third parties' data. It must not demand disproportionate supporting documents and cannot simply reject a request on the grounds that it uses the term "document" instead of "personal data".

In this regard, a ruling by the CJEU recalled that, where a request for access to data is legitimate, the organisation must provide a faithful and intelligible reproduction of all the data concerned, taking into account the rights and freedoms of others, as set out in the judgment of 4 May 2023 (C-487/21, EU:C:2023:369, paragraph 45).

This legal framework helps to secure the data management process within the company, but it requires constant vigilance on the part of employers to avoid any failure in handling employees' requests.

Thus, this initial analysis underscores the importance of knowing and respecting employees' rights regarding personal data. In the remainder of this article, we will explore how employers must respond to access requests and the legal implications that follow.

Let's discuss your needs for 15 minutes!

2. How must employers respond to employees' access requests?

Managing requests for access to personal data, such as professional emails, is essential for employers. In accordance with the applicable regulations, in particular the GDPR, employers have specific obligations to meet when an employee asserts their right of access.

First and foremost, employers must establish a clear and accessible process for handling these requests. This includes informing employees of how to submit their request, as well as designating a person or department responsible for managing these requests. The main steps to follow are:

  • Verifying the identity of the requesting employee in order to prevent any unauthorised access to the data.
  • Assessing the request to ensure that it is admissible and does not infringe the rights of others.
  • Responding within a maximum period of one month, as required by Article 12 of the GDPR.

It is crucial that the employer respond in a complete and understandable manner. The CNIL recommends framing the response so that the employee can understand which data is held about them and for what purpose it is used. In addition, if data must be retained for legal reasons or to defend legitimate interests, the employer must inform the employee accordingly.

The risks of non-compliance are high, as an unjustified refusal or a late response may give rise to administrative penalties. Indeed, the CNIL has the powers to monitor the compliance of employers' practices and may impose substantial fines in the event of breaches. Moreover, established case law recalls the importance of full transparency when communicating data — as highlighted by the judgment of 4 May 2023 (C-487/21, EU:C:2023:369) on employees' right to access their personal information.

In short, responding appropriately to employees' access requests is not only a legal imperative but also an opportunity for employers to strengthen trust and transparency within the company. In the remainder of this article, we will turn to the legal implications for employers regarding professional emails.

I want reliable legal documents!

3. What are the legal implications for employers regarding professional emails?

Professional emails represent a significant source of personal data in the employment context. Under the GDPR, employers must be particularly vigilant in handling access requests made by employees concerning these emails. Indeed, communicating personal data often proves more complex due to the sensitive information that may be stored.

When an employee requests access to their professional emails, the employer must first assess whether the data requested is in fact in the form of personal data and must also check whether this could undermine the rights of third parties. This process may include:

  • Identifying the emails in which the employee is either the sender or the recipient.
  • Assessing the risk of infringing the privacy of other individuals mentioned in these emails.
  • Deciding on the content that may be disclosed without infringing the rights of others, such as trade secrets or private correspondence.

The GDPR provides that employers cannot reject a request simply because it uses the term "document"; they must give practical effect to the request. Furthermore, the CJEU has specified that it is essential to provide a faithful and intelligible reproduction of the data, in the judgment of 4 May 2023 (C-487/21, EU:C:2023:369, paragraph 45).

It should also be noted that, where emails contain sensitive information, employers must seek to anonymise or pseudonymise that information before disclosure. However, if this proves impossible or insufficient, they must give reasons for their decision to refuse access, thereby ensuring respect for the rights of third parties.

Another aspect to consider concerns emails identified as personal. The employer cannot open them, even where this might seem justified for security reasons or compliance with internal standards. The courts have clearly held that such emails are protected under the confidentiality of correspondence and cannot be accessed without appropriate legal authorisation.

In this respect, managing professional emails in connection with the right of access raises issues that must be carefully delineated by employers in order to comply with the applicable laws while protecting their employees' privacy. It is a delicate balance that requires in-depth knowledge of employees' rights and employers' obligations.

In order to avoid potential disputes or penalties, it is advisable to formalise a policy for managing personal data and professional emails within the company, taking into account the obligations of the GDPR and the recommendations of the CNIL.

To learn more

Do employees have a right of access to their data?

Yes. The GDPR guarantees every individual, including employees, the right to access the personal data the employer holds about them. This right may extend to professional emails and affects data management practices within the company.

Does the right of access cover professional emails?

The right of access may extend to professional emails when they contain the employee's personal data. However, this right is subject to limits, in particular those relating to the rights of third parties and confidentiality. Its application must be assessed on a case-by-case basis.

How must the employer handle an access request?

The employer must respond to the employee's access request within the time limits set by the GDPR, disclosing the data concerning them. It must reconcile this right with the applicable limits, in particular the protection of third parties' data.

What limits apply to employees' right of access?

The right of access is subject to limits, in particular where disclosure would undermine the rights and freedoms of third parties. The employer must then reconcile the employee's right with these limits, assessing each request in a proportionate manner.

Why is the right of access an issue within the company?

The right of access affects data management practices and the protection of privacy in the workplace. It concerns both employees, who want to know what data is held about them, and employers, who must organise the handling of these requests.

What is the role of the CNIL in the right of access?

The CNIL regulates and protects the right of access to personal data. It may be called upon in the event of difficulty and clarifies how this right is to be exercised. Its role is essential to ensure respect for employees' rights and the balance with the employer's obligations.

Can the employer refuse an access request?

The employer cannot refuse a legitimate access request, but it may limit its scope to protect the rights of third parties or in the event of abuse. Any refusal or limitation must be justified and compliant with the GDPR, subject to potential oversight by the CNIL.

Is a lawyer useful for employees' right of access?

A GDPR lawyer helps employers handle employees' access requests, reconcile this right with its limits and secure their practices. On the employee's side, a lawyer helps assert the right of access in compliance with the legal framework.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

7 min

GDPR: Penalties for Non-Compliance and Review of Security Aspects
The fine imposed by the UODO (Polish Data Protection Authority) on a press organization reveals serious data security failings, thereby raising crucial questions about how organizations must manage the protection of personal data in accordance with

13 min

Cyberattacks against companies: directors' legal liability and legal defence strategies
Cyberattacks targeting companies engage the liability of corporate officers and require suitable strategies.

10 min

Software development contracts: warranties and liabilities to effectively protect your business
In today's digital world, software development contracts are the cornerstone of many IT projects. These complex legal documents define not only the expected functionalities and delivery deadlines, but also - and this is often underestimat

5 min

How Can the DPO Effectively Protect Your Business?
Implementing the GDPR may require the appointment of a DPO who is essential to legal compliance and the protection of the business.

9 min

Cybersecurity and e-commerce: your legal obligations in the event of data breaches
Cybersecurity: this article breaks down your obligations in the event of data breaches and how to effectively secure your online business.

3 min

What the GDPR brings to drafting data processing agreements
The adoption of the General Data Protection Regulation (GDPR) has created additional obligations for processors and controllers, to which data processing agreements must adapt.
Prendre rendez-vous
Book an appointment