À la une
Right of access to personal data
28/03/2022 - Médias
Employees and former employees can ask the employer for access to and disclosure of their personal data and request a copy, including copies of work-related e-mails, through the right of access to their personal data.
The French data protection authority (“CNIL”) published on January 5, 2022 the applicable procedure to answer to such a request.
What information must the employer check before transmitting personal data?
- Ensure the identity of the employee
If the employer has « reasonable doubts » about the identity of the requestor, he can ask him/her to attach any document that would prove his/her identity.
However, it is not possible to ask for supporting documents that would be « abusive, irrelevant and disproportionate« . It may be sufficient to exercise one’s rights from a space where the person has authenticated himself or herself (via the company’s e-mail or intranet).
- Reproduce the data
The right of access relates only to personal data and not to documents.
However, it is not forbidden to disclose the documents rather than the data alone if this is more convenient.
- Check that the request does not concern a third party
The application of the right of access to one’s personal data cannot infringe on the rights of others.
The French data protection authority points out that « respect for the right to privacy, business secrecy and the secrecy of correspondence are regularly invoked by employers to refuse to respond favourably to employees« . In practice, this can lead, for example, to hiding the identity of employees or elements that indirectly allow them to be identified.
What emails can be provided to the employee?
In the event of a request from an employee to access his/her professional e-mails, the employer must distinguish between two situations depending on whether the requestor is:
– Either (i) the sender or the recipient of the e-mails;
– Or (ii) only mentioned in the content of the e-mails.
(i.) Professional e-mails of the employee sender or recipient
When the employee is the sender or recipient of the e-mails for which he or she is requesting a copy, he or she is presumed to have knowledge of the information contained in the messages. The employer cannot therefore oppose a request on the basis of respect for the rights of third parties.
In exceptional cases, even though the e-mails are known to the requestor, if there is a risk to the rights of third parties or a risk of breaching a secret, the data should be deleted or anonymised, or the request for access should be rejected, stating the reasons (This is the case, for example, when the e-mails contain information that would infringe national security or an industrial secret).
(ii.) Professional e-mails referring to the employee
In order to respond to such a request, the employer must first check that the measures to be used to identify the requested e-mails do not lead to a disproportionate infringement of the employees’ rights. Thus, when the request concerns all of the employees’ e-mail accounts, the applicant must be asked to specify his request.
If, the information provided by the applicant makes it possible to identify the e-mails requested, the employer must then study their content and assess the extent to which their disclosure would infringe the rights of third parties. For example, an employer may refuse to comply with a request to disclose e-mails relating to a disciplinary investigation, the content of which could identify the persons concerned.
(iii.) The special case of personal e-mails
Where emails are identified as personal or where their content is private, the employer is not entitled to access them. The employer will therefore have to provide them as they are, but only if the requesting employee is the sender or the recipient.
Can the employer refuse the transmission of personal data?
The employer is not always obliged to respond to employees’ requests, particularly when:
– the data are no longer kept or have been deleted;
– or when the requests are clearly unfounded or excessive, especially when they are multiple and close together.
In principle, the employer has a maximum of one month to respond to a right of access request for a “simple request” and up to three months for a “complex request”.
The French data protection authority reminds that the right of access should not be confused with other rules on the communication of documents or evidence in the context of legal proceedings.
Thus, even if the employer refuses to comply with an employee’s request for access, the employee may still obtain from a judge the production of the disputed e-mails in the context of a dispute, provided that such production is necessary and that the infringement is proportionate to the aim pursued.
THE FRENCH DATA PROTECTION AUTHORITY: LA CNIL
The “Commission Nationale de l’Informatique et des Libertés” (CNIL) was created by the Data Protection Act of 6 January 1978.
The CNIL is an independent administrative authority, i.e. a public body that acts on behalf of the State, without being placed under the authority of the government or a minister
It is responsible for ensuring the protection of personal data contained in electronic or paper files and processing, both public and private.
It is responsible for ensuring that information technology is at the service of the citizen and that it does not infringe on human identity, human rights, privacy or individual or public freedoms.
It is made up of 18 elected or appointed members (parliamentarians, representatives of high courts, etc.) and is supported by departments (for example: European and International Affairs department, Social and human resources affairs department, State and local government affairs department, etc.).
This body has a role of alert, advice and information for all publics but also has the power to control and sanction.