France: Employees’ ‘right of access’ to their professional emails: recent updates of CNIL’s guidelines

Employees' requests for access to all their professional emails clearly illustrate the challenges employers face. Even when these requests do not appear excessively abusive (for example, asking for all emails sent or received over a limited period of time and not 10 years) — a topic we discussed in an earlier article on abusive access requests — companies, especially small and medium-sized businesses, often become overwhelmed by the volume of work involved in processing these requests within the required timeframe.

This challenging position (and its concrete impact on organizations) is reflected in the 2024 Coordinated Enforcement Action report, published by the European Data Protection Board (EDPB) on January 16, 2025.

Based on investigations carried out in collaboration with local data protection authorities, the report revealed that many organizations are particularly concerned about the significant time and cost involved in processing access requests, as well as the risk of misuse. As a result, they often resorted to providing partial responses or even excluding certain data processing from their responses, when they do not even sometimes invoke the ‘abuse of rights’ theory to reject all or part of the request.

Against this backdrop, the French Data Protection Authority (CNIL), who subsequently released its own assessment of the inspections it conducted in 2024, updated its guidelines​ on January 31, 2025, refining its approach to employees’ right of access to their personal data and professional emails. 

This widely referenced document, last updated in January 2022, offers valuable clarifications on how businesses should address these requests, providing much-needed guidance for compliance, although it remains imperfect in certain aspects.

Until recently, the CNIL’s guidelines primarily focused on what information employers should provide when responding to an employee’s request to access professional emails, but lacked clear, actionable advice on how to manage large requests, in practice. 

Employers must assess, on a case-by-case basis, whether granting this access could infringe on third-party rights. To make this assessment easier, the CNIL suggested distinguishing between two scenarios:

On the one hand, if the employee has already seen the content of the emails, the employer can generally assume that granting access will not violate third-party rights. Sharing the emails or personal data is usually acceptable, although anonymizing third-party data (clients, colleagues…) is recommended as a best practice if specific risks are identified. 

If the employer believes sharing the emails could harm third-party rights or compromise confidential business data, such as trade secrets or sensitive financial information, they must first attempt to mitigate this risk, for example, by redacting or anonymizing certain information. If this is not possible, the employer can refuse the request but must provide a clear, justified explanation.

On the other hand, if the employee is only mentioned in the email content (so, he/she has never seen the email), the employer must carefully balance access rights with the need to protect internal communications. First, they should assess whether fulfilling the request would require invasive steps, such as scanning all employee inboxes. If so, they can ask the employee to narrow the request. If the employee refuses, the employer can deny the request based on third-party rights and secrecy of correspondence.

If the emails can be retrieved without excessive intrusion, the employer must then assess whether disclosing them, even with redactions, could still compromise the confidentiality of the sender or other recipients. For instance, an employer may refuse to provide access to emails concerning a disciplinary investigation, especially if revealing their content could indirectly expose individuals involved in the case.

Until now, the CNIL’s guidelines had not specifically addressed requests involving large volumes of emails and in particular over several years (sometimes employees request their emails from the beginning of their employment in the company). This has now been remedied in a dedicated section. 

First, the CNIL reminds data controllers of an essential point often overlooked: emails are personal data processing activities, and therefore, it is important to establish retention periods (usually in the form of storage limits and email archiving operations). The deletion of an email account and its contents (after filtering and sorting if necessary) after an employee leaves is also an essential principle of information system security rules. In short, a data controller cannot be expected to provide years of emails since they are not supposed to exist anymore.

Second, despite the fact that the CNIL does not define what it considers a “large” number of emails, leaving employers to use their discretion, it does clarify what it meant by "personal data" in the context of emails.

The CNIL specifies that when responding to access request, employers must provide:

It is worth noting that the CNIL's position here contrasts with that of the Court of Justice of the European Union (CJEU), which, in its ruling of May 4, 2023, excluded metadata from the scope of the right of access.

Finally, to address the challenges posed by large access requests, the CNIL also provides a new methodology that, while not contradictory to previous guidelines, offers more practical guidance on how to respond to such requests: 

In a nutshell: The CNIL clarifies which formats can be used to respond to such requests. While providing full email copies remains a viable option — though often requiring content redaction — it confirms that employers can instead generate a log table listing the emails, supplemented with relevant personal data from the listed emails. 

We note with interest that these recommendations correspond to the practices that we ourselves had put in place in the absence of clear guidelines.

To ensure compliance with the GDPR while protecting the company’s interests, employers must take proactive steps. 

First, a well-structured anticipated approach and organization will not only help meet legal obligations but also prevent misuse of data access rights.

Second, one essential measure is defining a clear data retention and deletion policy, particularly regarding professional emails. Setting a specific retention period and effectively delete the emails, messages and/or content after an employee’s departure, allows companies to manage access requests more efficiently and reduce the risks associated with excessive data storage. 

Thirdly, analyze the admissibility and merits of all or part of the request, insofar as some may be vague, excessive, or even abusive and therefore be rejected or delayed.

In this respect, companies should also implement a structured internal process for handling access requests. This ensures that responses are timely and compliant with regulatory deadlines, reducing the risk of penalties or disputes. A well-organized approach helps streamline requests while maintaining operational efficiency.

Lastly, companies must carefully consider, on a case-by-case analysis, the method of providing access to personal data — whether by offering full document copies or sharing personal data in a dedicated summary table, as newly proposed by the CNIL: 

While this option might appear to save time, it greatly increases the chance of inadvertently disclosing sensitive personal or confidential data. For instance, direct personal data like personal contact information (email addresses, phone numbers), and indirect data such as colleagues' health status, work performance evaluations, or salary information, could be exposed. Similarly, client data such as banking details (IBAN, BIC) could also be revealed. Confidential business information — like trade secrets, non-public financial reports, sensitive contract terms, or pricing strategies — could be unintentionally shared. And secondly, sorting and masking non-communicable content is also generally very time-consuming, even if computerized sorting tools are starting to exist.

While this approach limits the risk of exposing sensitive information, this “new option” is not without its own drawbacks. It can be highly time-consuming, especially for small businesses with limited resources. It requires careful planning and coordination across departments (HR, IT, legal), and without automation, it can be disruptive to normal operations. 

Furthermore, ensuring the accuracy of the data presented in the summary table can be challenging, especially when dealing with complex or large-scale access requests. Employers must have trained a DPO or GDPR referents (in collaboration with IT services) capable of understanding exactly what really constitutes personal data and how to identify it, as well as how to correctly compile and report this data in a log table. This can lead to inconsistencies or errors if not handled properly. Additionally, determining which data is truly relevant for inclusion in the table can be subjective, and without clear guidelines, there is a risk of over- or under-reporting information.

Ultimately, both options have their pros and cons, and the key is to assess the company’s resources and establish a structured approach that minimizes risk while meeting legal obligations. Moreover, in assessing the obligations of each party, the authorities take into account the employer's reasonable capacities and resources.