The CNIL of France has released an article explaining the employee right of access under the EU GDPR.
Article 15 of the GDPR gives individuals the right to request a copy of any of their personal data from a data controller. This also applies when the data controller is the individual’s employer. CNIL has recently outlined in this article, how employers should go about fulfilling requests from current and past employees for their personal data. The organization must be sure of the identity of the applicant. In cases where there is reasonable doubt about the identity of the person requesting the information, the organisation may request proof of identity. This is not necessary in cases where the employee is requesting this information via their professional email, or the company’s intranet. Similarly, the identity can be proven by providing a current or former professional identifier.
Employees should receive their data, and have the right to have this data corrected or deleted free of charge in most cases.
Employees or former employees may request a copy of all the personal data that their employer holds concerning them and must receive this information in an understandable format, making it easy for them to check the accuracy of the information therein. The individual is also entitled to information like the purpose of the use of the data, the categories of data processed, the other organizations which may have obtained the communications data, etc. They may also request that the data be corrected or erased. These requests should be handled free of charge, however in the event that they are unfounded or excessive, for example where additional copies are requested, there may be reasonable costs related to fulfilling that request. This right of access relates to personal data and not to documents, however the organization is not prohibited from releasing documents rather than just the data, if doing so it would be more practical.
Employers must protect the rights of third parties when it comes to fulfilling requests for copies of professional emails.
Employees may request access to professional emails where they were either the sender or receiver, or where they were mentioned in the emails. In cases where the employee was the sender or receiver, it is assumed that the individual has had prior knowledge of the information contained in the messages requested. Therefore the fulfillment of those requests are presumed to respect the rights of third parties. However, in cases where the applicant is mentioned in the content of these emails, it is important that the employer protects the rights and identities of any third parties. It is suggested that the employer first makes an attempt to either delete, anonymize or pseudonymize the data. If this is insufficient it would be necessary for the employer to refuse the request for access, and provide reasons justifying the refusal to the applicant.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.