France: Employees' Right Of Access To Their Personal Data: What Documents Must The Employer Provide Its Employees Who Exercise This Right?

With the adoption of the General Data Protection Regulation (2016/679) (GDPR) European legislation has strengthened the rights of individuals with regard to their personal data, giving them greater control and greater visibility over how it may be used, including a right of access.

Employers should pay particular attention to the right of access, which, in France at least, is often being misused by former employees.

Article 15 of the GDPR grants an employee (a 'data subject') the right to obtain from his or her employer (a 'controller') confirmation as to whether or not his or her personal data is being processed by the employer and, if so, the employer must provide a copy of the personal data undergoing processing.

In France, this right of access is often exercised by the employee after the termination of his or her employment contract by the employer on grounds which the employee intends to challenge in a labour tribunal hearing. The aim is to obtain as many documents as possible from the former employer that relate to or concern the employee and his or her employment record and dismissal, for use in the tribunal proceedings.

However, seeking access to such documents for such purposes has nothing to do with employee's rights under Article 15 of the GDPR. In fact, such conduct is tantamount to a misuse of the employee's right of access, and the employer must be prepared to reject requests for such access or, at least, limit such access.

Experience shows, however, that faced with a steady increase in requests for access allegedly based on Article 15, many companies are still at a loss as to how to deal with them and how to respond.

This article addresses the following questions:

• What information is "personal data" to which employees may have access under Article 15?
• Are the objectives and purposes of the GDPR relevant to identify 'personal data'?
• What data can be considered as actually relating to the individual?
• What limits to the exercise of the right of access can the employer impose?

What information is "personal data" to which employees may have access under Article 15?

The concept of "personal data" is defined in Article 4(1) of the GDPR as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

A non-exhaustive list of personal data has been drawn up by the European Data Protection Board (EDPB), the body responsible for ensuring that the GDPR is properly applied in the Member States of the European Union.

EDPB considers that personal data means information relating to the data subject him or herself.

In addition to objective basic data (such as surname, first name, telephone number, etc.) personal data also includes subjective data concerning the activities, behavior or habits of the data subject such as economic or financial data (purchase history, solvency indicators), geolocation data, health-related data, data resulting from activity registers, transaction histories, Internet usage, research activities, data relating to the interaction of the person concerned with an advertiser's advertising banners (making it possible to establish the advertising profile of the Internet user), or data relating to the data subject's skills and knowledge.

Key point: to qualify as personal data, the data must provide information about the data subject, who is thus identified or identifiable by characteristics that are specific to him or her.

Are the objectives and purposes of the GDPR relevant to identify 'personal data'?

It is essential to remember that the exercise of the right of access cannot be disconnected from the objectives of protecting the fundamental rights laid down by European legislation on the protection of personal data¹ .

The exercise of the right of access on the basis of Article 15 of the GDPR must also respect the purposes for which the right of access is given.

On this point, the EDPB states that "(....) the purpose of the right of access is to make it possible for the data subjects to understand how their personal data are being processed as well as the consequences of such processing, and to verify the accuracy of the data processed without having to justify their intention. In other words, the purpose of the right of access is to provide individuals with sufficient, transparent and easily accessible information about data processing, regardless of the technologies used, and to enable them to verify different aspects of a particular processing activity under the GDPR (e.g. lawfulness, accuracy)".

Key point: there should be no right of access unless access is required to enable the data subject to understand how his or her personal data are being processed (and the consequences of such processing) and to verify the accuracy of the data processed. Access should not be available where the fundamental rights of individuals, in particular to the privacy of their private life, are not threatened. Accordingly, an analysis of the impact on these fundamental rights and freedoms of information likely to be classified as personal data is a necessary prerequisite to enable the employer to assess whether access is appropriate.

Key point: the first step that the employer should take to identify the personal data to which it is required to give access is to check whether the processing of the data could have an impact on the rights and freedoms of the data subject, and the data subject could exercise his or her right to rectification or erasure of the data.

What data can be considered as actually relating to the individual?

The case law of the Court of Justice of the European Union (CJEU) confirms that information "relating to" the data subject qualifies as personal data when it is directly linked to that person, highlighting specific characteristics such as his or her behavior, knowledge, intellectual abilities, orientation, cultural, economic or social choices, etc., all of which make it possible to identify that person or make him or her identifiable.

On the other hand, the CJEU has ruled, in relation to the exercise of the right of access to administrative documents, that while information relating to asylum seekers – such as names, contact details, nationality, date of birth, origins and religion - falls within the scope of the definition of personal data, a third party's legal analysis of the situation that is based upon that personal data is not itself 'personal data'.²

According to the CJEU, such an analysis does not constitute a set of data on the data subject, but an application of the law to that person's situation, even if that situation is established by means of his or her personal data.

The CJEU has regard to the essential prerequisite of taking account of the objectives and purposes of the GDPR, referred to above. Accordingly, allowing a right of access to a legal analysis does nothing to guarantee the protection of the data subject's right to privacy and in no way allows the data to be rectified or deleted, as the analysis is a prerogative of the administration.

An analysis of personal data is therefore not itself personal data and is not accessible under Article 15 of the GDPR. In fact, an analysis cannot be checked, rectified or deleted on the grounds that it is incorrect or invasive of privacy. The rights granted by the GDPR are therefore not likely to be exercised on such an analysis.

What limits to the exercise of the right of access can the employer impose?

However broad it may be, the right of access organized by Article 15 of the GDPR is not absolute.

We see three main limits to the exercise of this right that companies can mobilize.

First limitation: the need for prior data collection

The data concerned by the right of access must have been collected in one way or another prior to being processed³ .

It should be noted that personal data may be classified as such in the event of indirect collection, targeting data which, not having been collected directly from the data subject, is derived or has been derived from other data.

Second limitation: the distinction between data and media

The right of access relates to personal data and not to the medium in which it is contained or appears. The GDPR makes no provision for the right of access to extend to documents containing personal data⁴.

Thus, if a document contains personal data, the employer must assess the need to disclose the document or only the data in question on a case-by-case basis. In this respect, if the personal data is intelligible without the production of its medium, there is no obligation on the employer to communicate it.

It should be noted that as the aim is to guarantee the exercise of the data subject's rights, the communication of personal data extracted from a document may be accompanied by a text contextualizing the data to ensure that it is understood by the applicant.

Key point: the right to access to a copy of personal data does not mean that the employer has to provide a copy of the document containing the personal data. An employer may choose the format of the personal data that is provided to the employee and is under no obligation to communicate documents such as emails which may contain personal data of its employees.

Third limitation: respect for the rights of others

The exercise of the right of access must not infringe the rights and freedoms of third parties⁵. In particular, the right of access must not infringe the confidentiality of correspondence. This is a fundamental freedom recognized in respect to all individuals⁶.

Furthermore, Recital 4 of the GDPR specifies that the implementation of the right of access "respects all fundamental rights and observes the freedoms and principles recognized in the Charter as enshrined in the Treaties", in particular, amongst other examples, "the freedom to conduct a business". In our opinion, this will allow the employer to balance the right to access to personal data with its own economic interests and the confidentiality of the internal discussions necessary to ensure such interests.

Indeed, although the rights enshrined in the GDPR concern natural persons, the balancing of the rights of a legal person with those of a natural person should not be excluded. Rights in respect to trade or business secrets and intellectual property, which are often held by legal persons, are cited by European sources as having to be taken into account in the balancing exercise.

However, the EDPB has adopted a more restrictive position which is that a company's commercial interests cannot justify a refusal to disclose personal data, unless disclosure will infringe business secrecy, intellectual property or other (undefined) rights⁷ .

Key point: the confidentiality of internal exchanges within the company (for example within the human resources team with regard to employee management) may justify a rejection of an application to access.

In our opinion, the right of access does not allow an employee to obtain disclosure of all his or her professional documents and e-mails arising from the employment relationship, but only the personal data concerning him or her contained in those documents, provided that this information was collected by the employer and disclosure does not conflict with the rights and freedoms of third parties.

In practice, how should companies respond to employee requests?

A request for access to personal data is in no way automatic; on the contrary, it must be the subject of a process of reflection by the employer that is designed to identify and preserve, as far as possible, the various interests involved. This is the position of the French courts in particular, for whom the right of access under Article 15 of the GDPR "must be considered in relation to its function in society and weighed against other fundamental rights in accordance with the principle of proportionality". ⁸

The approach should be a case-by-case analysis, based on the answers to a number of questions:

• does the data requested constitute information directly relating to the data subject who is thus identified or identifiable by virtue of characteristics specific to him or her?
• has the data been collected in advance?
• does access to the data concerned allow fundamental rights and freedoms to be protected, and in particular the data subject's right to privacy?
• does this information allow exercise of the rights conferred by the GDPR (rectification, deletion, objection)?

If the answers to these questions are positive, the employer will still have to choose the medium for communicating this data and check that communicating it does not have a negative impact on the rights of third parties. If this is the case, the employer will have to evaluate which measures will have to be implemented to limit the impact of disclosure on third parties whilst ensuring that the personal data that is clearly accessible under the GDPR is promptly and fully disclosed ⁹.

In practice, the employer may choose to provide, for example, a redacted document or spreadsheet containing the data subject's personal data, omitting certain metadata (in particular the name and email address of the sender of an email dealing with the data subject's situation).

Finally, if the employer determines that it is justified in rejecting access to the personal data requested, or any part of it, it must justify its decision in writing to the employee¹⁰.

Footnotes

1. Article 1er, paragraph 2, of the GDPR, which states that "This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data". This objective of protecting fundamental rights and freedoms as well as the right to privacy was reiterated by the Article 29 Data Protection Working Party in its opinion 04/2007 on Directive 95/46/EC, which was succeeded by the GDPR, in the following terms: "to protect the fundamental rights and freedoms of natural persons and in particular their right to privacy, with regard to the processing of personal data". "These rules were therefore designed to apply to situations where the rights of individuals could be at risk and hence in need of protection".

2. CJEU 17 July 2014, C-141/12 and C-372/12 YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immingratie, Integratie en Asiel v M and S.

3. GDPR, Recital 63 and European Charter of Fundamental Rights, Article 8, §2

4. CNIL (French Data Protection Authority), Note of 5 January 2022 and CJEU, May 4, 2023, C-487/21 österreichische Datenschutzbehörde and CRIF; EDPB Guidelines 01/2022 on data subject rights - Right of access, v. 2.0, op. cit. p. 48, §152

5. GDPR, article 15, 4.

6. ECHR, art. 8 and Charter of Fundamental Rights, art. 7

7. EDPB Guidelines 01/2022 on data subject rights - Right of access, v. 2.0, op. cit. p. 53, §170

8. Grenoble Court of Appeal 9 May 2023, no. 22/03064

9. EDPB Guidelines 01/2022 on data subject rights - Right of access, v. 2.0, op. cit. p. 5.

10. GDPR, article 12, paragraph 4

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.