The Data Protection Act allows any person to access data concerning him or her. This right is reinforced by the General Data Protection Regulation (GDPR) published on May 4, 2016 and entered into force in May 2018. An employee can therefore ask his employer to communicate personal data concerning him.
Article 1 of the RGPD states, “The protection of individuals with regard to the processing of personal data is a fundamental right.” The RGPD allows an individual to ask an organization if it holds data about him (website, store, bank…) and if this is indeed the case, then ask for it to be communicated to him in order to verify its content. The organization will have to send him a copy of the data held and inform him about :
- the purposes for which the data is used,
- the categories of data collected,
- the recipients or categories of recipients who may have access to the data
- the length of time the data is kept or the criteria that determine this length of time,
- the existence of other rights (right of rectification, deletion, limitation, opposition),
- the possibility of referring the matter to the CNIL,
- any information relating to the source of the data collected if they have not been directly collected from him,
- the existence of automated decision-making, including profiling, and the underlying logic, importance and consequences for you of such a decision
- the possible transfer of your data to a third country (non-EU member) or to an international organization.
This step allows the individual to check the accuracy of the data and, if necessary, to exercise his or her right to rectification or deletion, depending on the case.
The right of access in a professional context
“The principles relating to data protection apply to all personal data collected by an organization, even in a professional context: an employee can therefore exercise his right of access with his employer.
The rules of the right of access
The organization must ensure the identity of the applicant
If there is any doubt about the identity of the person wishing to have access to his or her data, certain information may be requested to prove his or her identity, but supporting documents may not be requested that would be abusive, irrelevant and disproportionate to the request.
The organization must respond to the request free of charge
Data subjects must be able to exercise the right of access free of charge. However, in certain exceptional situations, in particular where an additional copy is requested, a reasonable fee for processing the file may be charged.
The right of access relates to personal data and not to documents
The right of access relates only to personal data and not to documents: a person cannot claim the communication of a document on the basis of the right of access. However, the organization is not prohibited from providing documents rather than just the data, if it is deemed more convenient (e.g., sending a copy of an email rather than detailing it)
The exercise of the right of access must not prejudice the rights of third parties
The right of access concerns data whose “communication does not disproportionately affect the rights of others”.
Assessment of the request by the employer
The employer must judge whether or not this disclosure of data may infringe on the rights of a third party according to two criteria:
- The requester is the sender or the recipient of the emails that are the subject of the request.
- The applicant is mentioned in the content of the emails.
In the first case, where the requester has sent or received emails, it is presumed to have knowledge of the information contained in the messages covered by the request, “disclosure of the emails is presumed to be respectful of the rights of third parties.” In this context, anonymization that will make it impossible to identify him or her or pseudonymization of data through an alias, a sequential number … seem the best solutions.
If the applicant is mentioned, the employer will have to assess the extent to which their communication would infringe on the rights of third parties. The employer can refuse the right of access to the data if they represent a danger to the rights of a third party but explain the reasons to the applicant. The latter can always obtain from a judge the production of the litigious e-mails in the context of a dispute, provided that this production is necessary and that the infringement is proportionate to the aim pursued.
The particular case of personal e-mails
E-mails identified as personal or whose content proves to be private despite the absence of any mention of their personal nature, are subject to special protection; in this case, “the employer may not take cognizance of the content” even with a view to concealing information and “must provide the plaintiff with the e-mail as is”, provided that the latter is the sender or the recipient.
Translated from Salariés : droit d’accès aux données et aux courriels professionnels