Get ready for the GDPR – Employees’ right of access
The new General Data Protection Regulation that enters into force in May brings along a number of changes and makes a lot of new demands on the companies. In this newsletter, we focus on the employees’ right of access.
A company often registers a wide range of information about its employees. This includes general HR-related information like name, address and account number but also work emails and patterns of movement if the company car has a GPS installed. The new General Data Protection Regulation focuses on the rights of the data subjects, including the right to gain access to the personal data, which the company has registered. Companies should therefore pay particular attention to this right.
What is covered by the employee’s right of access?
An employee has the right to know whether the company has registered information about him or her. If this is the case, the employee is also entitled to gain access to this information.
There are no requirements as to how the employee should gain access to the personal data. In some cases, it will be more practical to provide a copy, while in other cases – for example due to the amount of information – it will be more convenient to ask the employee to come by and go through the data or ask the employee to specify which data or processing activities he or she wants access to. However, the company can never prevent the employee from gaining access to all of his or her personal data, except for the restrictions mentioned below. If the employee has requested access by electronic means, the information must be provided electronically as well.
The Court of Justice of the European Union has previously established that it was sufficient to provide a summary of the registered data that was easy to understand and made it possible to verify the accuracy of the data, the lawfulness of the processing and also allowed the data subject to exercise his or her data protection rights. We don’t know yet if this will be sufficient under the new rules too.
When can the company reject requests?
The new rules do lay down certain exceptions to the right of access where the company can reject an employee’s request for access.
An employee cannot demand to receive personal data if it violates the rights or freedoms of others. This could be confidentiality, the right to private life or trade secrets. In such cases, the company must balance the right of access against the opposing rights of others. Instead of a rejection, the company should rather – to the extent possible – remove the data that could affect the rights of others and then give the employee access to his or her personal data.
An employee’s request can probably also be rejected if it would hinder an investigation or prosecution of a criminal offence. This depends on a specific assessment of whether the employee’s right of access should attach greater importance than the investigation.
However, an employee doesn’t have the right to be informed of which data that has previously been processed. In other words, employees cannot demand information on data that has been stored but later erased.
Finally, an employee doesn’t have a right of access if the request is unfounded, excessive or put forward repeatedly. This exception is probably not easy to invoke, though, and the rules allow the company to charge a reasonable administration fee instead.
What does all this mean in practice?
In terms of usual HR-related data like name, address, account number, social security number and pay checks, the new rules entail that companies as a starting point always need to grant access to and provide this information.
If the company is in possession of GPS logs that show where the employee has been located at a certain point in time, the company can probably refuse to hand over these logs, seeing as they may expose trade secrets such as clients’ addresses or potential clients or be used to map the company’s sales strategy.
This also applies to emails and information in a work calendar. Both may contain data that constitutes trade secrets, for example contact information on clients, prices of products, drawings or strategy plans. If this is the case, the employee is not entitled to receive the information.
If the company refuses a request, it is important that it secures proof of the fact that the company has made an assessment of whether it is possible to provide the data. For example, in the form of a memo saved in the case files or by describing the assessment of the rejection.
IUNO’s Opinion
The new data protection rules have considerably strengthened the focus on data subjects’ rights but it remains unclear what effect it will have in practice.
It can be a great administrative burden for companies if they have to grant a number of (previous) employees access to all information that has been registered in the company during their employments. Companies can ease the burden by granting remote access to a wide range of this data, provided it can be done in a safe way.
To lessen the administrative burden, IUNO recommends that companies implement efficient systems for routine erasure that ensures that employees’ emails, calendar information, logs and other personal data are erased regularly and no later than when the employee leaves the company. This will also comply with the principle of data minimization that also plays an important part in the new rules.
[The General Data Protection Regulation article 12 and 15 and preamble 63]
A company often registers a wide range of information about its employees. This includes general HR-related information like name, address and account number but also work emails and patterns of movement if the company car has a GPS installed. The new General Data Protection Regulation focuses on the rights of the data subjects, including the right to gain access to the personal data, which the company has registered. Companies should therefore pay particular attention to this right.
What is covered by the employee’s right of access?
An employee has the right to know whether the company has registered information about him or her. If this is the case, the employee is also entitled to gain access to this information.
There are no requirements as to how the employee should gain access to the personal data. In some cases, it will be more practical to provide a copy, while in other cases – for example due to the amount of information – it will be more convenient to ask the employee to come by and go through the data or ask the employee to specify which data or processing activities he or she wants access to. However, the company can never prevent the employee from gaining access to all of his or her personal data, except for the restrictions mentioned below. If the employee has requested access by electronic means, the information must be provided electronically as well.
The Court of Justice of the European Union has previously established that it was sufficient to provide a summary of the registered data that was easy to understand and made it possible to verify the accuracy of the data, the lawfulness of the processing and also allowed the data subject to exercise his or her data protection rights. We don’t know yet if this will be sufficient under the new rules too.
When can the company reject requests?
The new rules do lay down certain exceptions to the right of access where the company can reject an employee’s request for access.
An employee cannot demand to receive personal data if it violates the rights or freedoms of others. This could be confidentiality, the right to private life or trade secrets. In such cases, the company must balance the right of access against the opposing rights of others. Instead of a rejection, the company should rather – to the extent possible – remove the data that could affect the rights of others and then give the employee access to his or her personal data.
An employee’s request can probably also be rejected if it would hinder an investigation or prosecution of a criminal offence. This depends on a specific assessment of whether the employee’s right of access should attach greater importance than the investigation.
However, an employee doesn’t have the right to be informed of which data that has previously been processed. In other words, employees cannot demand information on data that has been stored but later erased.
Finally, an employee doesn’t have a right of access if the request is unfounded, excessive or put forward repeatedly. This exception is probably not easy to invoke, though, and the rules allow the company to charge a reasonable administration fee instead.
What does all this mean in practice?
In terms of usual HR-related data like name, address, account number, social security number and pay checks, the new rules entail that companies as a starting point always need to grant access to and provide this information.
If the company is in possession of GPS logs that show where the employee has been located at a certain point in time, the company can probably refuse to hand over these logs, seeing as they may expose trade secrets such as clients’ addresses or potential clients or be used to map the company’s sales strategy.
This also applies to emails and information in a work calendar. Both may contain data that constitutes trade secrets, for example contact information on clients, prices of products, drawings or strategy plans. If this is the case, the employee is not entitled to receive the information.
If the company refuses a request, it is important that it secures proof of the fact that the company has made an assessment of whether it is possible to provide the data. For example, in the form of a memo saved in the case files or by describing the assessment of the rejection.
IUNO’s Opinion
The new data protection rules have considerably strengthened the focus on data subjects’ rights but it remains unclear what effect it will have in practice.
It can be a great administrative burden for companies if they have to grant a number of (previous) employees access to all information that has been registered in the company during their employments. Companies can ease the burden by granting remote access to a wide range of this data, provided it can be done in a safe way.
To lessen the administrative burden, IUNO recommends that companies implement efficient systems for routine erasure that ensures that employees’ emails, calendar information, logs and other personal data are erased regularly and no later than when the employee leaves the company. This will also comply with the principle of data minimization that also plays an important part in the new rules.
[The General Data Protection Regulation article 12 and 15 and preamble 63]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing