RGPD
The right of access to personal data is a crucial issue in the digital age, particularly when it comes to upholding employees' rights within the company. Established by the GDPR, this right allows every individual, including employees, to access the personal information held by their
Reading time:
6 min
The right of access to personal data is a crucial issue in the digital age, particularly when it comes to upholding employees' rights within the company. Established by the GDPR, this right allows every individual, including employees, to access the personal information their employer holds about them, as well as their professional emails.
Understanding what is at stake with this right is essential for both employees and employers, as it affects data management practices and the protection of privacy in the workplace. With this in mind, we will examine the various aspects of this right of access, its implications for employers, and how access requests must be handled. We will also address the resulting limits and obligations, while highlighting the essential role of the CNIL in regulating and protecting these rights.
If you would like to engage a GDPR lawyer, contact me!
The right of access to personal data is fundamental and guarantees employees the ability to obtain information about the data concerning them. In accordance with the GDPR, every employee has the right to ask their employer to disclose the personal data held about them, including data contained in professional emails.
This request aims to enhance transparency within companies and to enable individuals to verify the accuracy of their data. Thus, when an employee exercises this right of access, they may:
It is important to stress that this right of access, while powerful, is not without restrictions. For example, the employer is required to verify the identity of the requester in order to protect third parties' data. It must not demand disproportionate supporting documents and cannot simply reject a request on the grounds that it uses the term "document" instead of "personal data".
In this regard, a ruling by the CJEU recalled that, where a request for access to data is legitimate, the organisation must provide a faithful and intelligible reproduction of all the data concerned, taking into account the rights and freedoms of others, as set out in the judgment of 4 May 2023 (C-487/21, EU:C:2023:369, paragraph 45).
This legal framework helps to secure the data management process within the company, but it requires constant vigilance on the part of employers to avoid any failure in handling employees' requests.
Thus, this initial analysis underscores the importance of knowing and respecting employees' rights regarding personal data. In the remainder of this article, we will explore how employers must respond to access requests and the legal implications that follow.
Let's discuss your needs for 15 minutes!
Managing requests for access to personal data, such as professional emails, is essential for employers. In accordance with the applicable regulations, in particular the GDPR, employers have specific obligations to meet when an employee asserts their right of access.
First and foremost, employers must establish a clear and accessible process for handling these requests. This includes informing employees of how to submit their request, as well as designating a person or department responsible for managing these requests. The main steps to follow are:
It is crucial that the employer respond in a complete and understandable manner. The CNIL recommends framing the response so that the employee can understand which data is held about them and for what purpose it is used. In addition, if data must be retained for legal reasons or to defend legitimate interests, the employer must inform the employee accordingly.
The risks of non-compliance are high, as an unjustified refusal or a late response may give rise to administrative penalties. Indeed, the CNIL has the powers to monitor the compliance of employers' practices and may impose substantial fines in the event of breaches. Moreover, established case law recalls the importance of full transparency when communicating data — as highlighted by the judgment of 4 May 2023 (C-487/21, EU:C:2023:369) on employees' right to access their personal information.
In short, responding appropriately to employees' access requests is not only a legal imperative but also an opportunity for employers to strengthen trust and transparency within the company. In the remainder of this article, we will turn to the legal implications for employers regarding professional emails.
I want reliable legal documents!
Professional emails represent a significant source of personal data in the employment context. Under the GDPR, employers must be particularly vigilant in handling access requests made by employees concerning these emails. Indeed, communicating personal data often proves more complex due to the sensitive information that may be stored.
When an employee requests access to their professional emails, the employer must first assess whether the data requested is in fact in the form of personal data and must also check whether this could undermine the rights of third parties. This process may include:
The GDPR provides that employers cannot reject a request simply because it uses the term "document"; they must give practical effect to the request. Furthermore, the CJEU has specified that it is essential to provide a faithful and intelligible reproduction of the data, in the judgment of 4 May 2023 (C-487/21, EU:C:2023:369, paragraph 45).
It should also be noted that, where emails contain sensitive information, employers must seek to anonymise or pseudonymise that information before disclosure. However, if this proves impossible or insufficient, they must give reasons for their decision to refuse access, thereby ensuring respect for the rights of third parties.
Another aspect to consider concerns emails identified as personal. The employer cannot open them, even where this might seem justified for security reasons or compliance with internal standards. The courts have clearly held that such emails are protected under the confidentiality of correspondence and cannot be accessed without appropriate legal authorisation.
In this respect, managing professional emails in connection with the right of access raises issues that must be carefully delineated by employers in order to comply with the applicable laws while protecting their employees' privacy. It is a delicate balance that requires in-depth knowledge of employees' rights and employers' obligations.
In order to avoid potential disputes or penalties, it is advisable to formalise a policy for managing personal data and professional emails within the company, taking into account the obligations of the GDPR and the recommendations of the CNIL.
To learn more
Yes. The GDPR guarantees every individual, including employees, the right to access the personal data the employer holds about them. This right may extend to professional emails and affects data management practices within the company.
The right of access may extend to professional emails when they contain the employee's personal data. However, this right is subject to limits, in particular those relating to the rights of third parties and confidentiality. Its application must be assessed on a case-by-case basis.
The employer must respond to the employee's access request within the time limits set by the GDPR, disclosing the data concerning them. It must reconcile this right with the applicable limits, in particular the protection of third parties' data.
The right of access is subject to limits, in particular where disclosure would undermine the rights and freedoms of third parties. The employer must then reconcile the employee's right with these limits, assessing each request in a proportionate manner.
The right of access affects data management practices and the protection of privacy in the workplace. It concerns both employees, who want to know what data is held about them, and employers, who must organise the handling of these requests.
The CNIL regulates and protects the right of access to personal data. It may be called upon in the event of difficulty and clarifies how this right is to be exercised. Its role is essential to ensure respect for employees' rights and the balance with the employer's obligations.
The employer cannot refuse a legitimate access request, but it may limit its scope to protect the rights of third parties or in the event of abuse. Any refusal or limitation must be justified and compliant with the GDPR, subject to potential oversight by the CNIL.
A GDPR lawyer helps employers handle employees' access requests, reconcile this right with its limits and secure their practices. On the employee's side, a lawyer helps assert the right of access in compliance with the legal framework.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin