If the right of access to personal data has existed since 1978 with the adoption of the data protection law, it is the General Data Protection Regulation (GDPR) that makes it popular. Health actors are well aware of patients’ right to access their data. However, this right is less well known when it comes to employees when the stakes are just as high.
For employees, the right of access allows them not to be satisfied with knowing that the data concerning them is processed by their employer but to obtain communication. In the UK, employees have made extensive use of this right for several years. This occurred in particular in a contentious or pre-litigation context.
And then France? Does the employer have to respond favorably to this request in any case?
Fortunately for the employer, this right is not absolute. The right of access relates to personal data and not to the documents themselves.
However, when it comes to email, the situation gets complicated. The employer must provide both the metadata (time stamp, recipients, etc.) and the content of the e-mails. However, the employee cannot obtain communication of every e-mail containing her name. A sorting must then be carried out by the employer:
– Emails identified as “personal” must be isolated and communicated to the employee, without the employer being aware of it or any information being concealed.
– As regards the other e-mails, a distinction must be made according to whether the employee is the sender / recipient or not:
- If the employee is the sender or recipient of the e-mails, it is assumed that he has knowledge of the information contained in the messages that are the subject of the request. It is therefore assumed that the communication respects the rights of third parties (corporate secrecy, intellectual property, right to confidentiality, confidentiality of correspondence, etc.). In this context, the anonymisation or pseudonymisation of data relating to third parties is not mandatory (unless it is necessary to protect the rights of third parties). In practice, it is difficult to refuse to grant a request for the right of access in this case (other than to demonstrate that anonymisation or pseudonymisation is not sufficient to protect the rights of third parties).
- If the employee is only mentioned in the content of the emails, the employer can ask the employee to specify his or her request (especially to avoid a scan of all company employee emails). This can be by asking him to specify the period or keywords to be used for searching the emails (particularly when dealing with a request in a pre-litigation or litigation context). The employer must also (i) anonymize, pseudonymise or delete data relating to third parties or information relating to a secret, and then (ii) balance the interests between those of the employee and those of third parties. In this case, it is only if the employee refuses to specify his request (which can allow to justify that the request is excessive) or if no provision allows to preserve the rights of third parties that it is possible to refuse – in a justified way – to accept the your request.
In practice, the right of access can prove to be formidable both in terms of evidence-gathering means for the employee and constraints on the employer, who will have to take the time to organize the required communication. Furthermore, even opposing a rejection can require strong mobilization and take a long time.
As always in the field of data protection, regardless of whether or not you decide to accept an access request, this must be the subject of a detailed and above all documented analysis.
Philippe Thomas, partner, Sophie Montagne and Maëlle Chausse, partners, in Dechert