Employees’ right of access to personal data: how to reject or limit abusive request

One of these new obligations is to allow individuals whose data is “processed” by a data controller to exercise their rights to verify the lawfulness of the processing and the absence of any infringement of their privacy.

However, the implementation of these rights, and in particular the right of access, presents real difficulties, particularly between employers and employees. 

Indeed, more and more employees, both current and former, are not hesitating to exercise this right with their (ex-)employer, by making more or less extensive requests for access.

We will not dwell at length on the formal requirements of a request for access, which must enable the employer (i) to identify with certainty the employee in question and (ii) to understand the precise nature and scope of the request.

While some requests for access are motivated by a legitimate concern on the part of the employee to ensure that his or her data is being processed lawfully, an increasing number of requests are being used for other purposes, particularly in the context of redundancy procedures or employment tribunal disputes. 

The aim is to accumulate grievances against the employer. These requests are then perceived as a means of disrupting or putting pressure on the employer, who finds himself obliged to mobilize substantial technical, human and/or financial resources to manage and respond to the request. A fortiori, if it fails to respond, or responds incompletely, the data controller could incur potential sanctions from the CNIL, as provided for in the GDPR, and possible legal damages.

Many companies therefore consider rejecting requests deemed excessive or made in bad faith, but are reluctant to find a legal basis for such a refusal, when the right of access is not legally subject to any justification whatsoever.

We therefore propose to look again at the way in which particular requests for access should be dealt with, in order to assess the response procedures available to the employer, but lastly, and above all, the conditions for their admissibility, an initial phase that is all too often ignored.

In accordance with Article 15 of the RGPD, any person whose personal data (i.e. directly or indirectly identifying data) is processed (i.e. any operation on such data, including storage) has the right to obtain access to such data and processing from the controller.

On receipt of the request, the data controller must check that it is admissible before dealing with the merits of the request. Naturally, he must check the identity of the person requesting access, in particular by requiring a copy of an identity document and a means of telephone and electronic contact corroborating this identity. Secondly, the request must be precise and comprehensible in order to be processed. For example, the request should target certain data or data media in particular (certain emails, pay slips, promotions, administrative sanctions, etc.), rather than formulating, too vaguely, “all of the employee's personal data, whatever it may be, for the entire duration of his or her employment contract”.

The information to be communicated must enable the data subject (in this case, the employee) to obtain answers to the following questions, which are characteristic of controlled processing of personal data: 

An additional difficulty is that the data controller must normally provide a response within one month (Article 12(3) of the RGPD) of receiving the request, failing which it may, on complaint by the data subject, face proceedings, or even a penalty, from the supervisory authority or a court. However, this deadline may be extended by two months due to the complexity of a request or the volume of simultaneous requests. In this case, the data controller must still acknowledge receipt of the request and inform the applicant of the extension, giving reasons. 

Once the legal time limit has expired, personal data must be communicated in the form of a copy of the data requested and in an understandable format. Recently, the Court of Justice of the European Union clarified the precise meaning of these criteria. 

In a ruling of 4 May 2023 (C-487/21), the Court clarified what is meant by these formal requirements, stating that the request must be for a faithful and intelligible reproduction of all the data. 

This means that the disclosure requirement does not necessarily relate to (copies of) documents or media containing the data (e.g. emails), but to the personal data itself, thereby offering the company a choice. The Court points out, however, that in order to ensure that the information provided is easily understandable and thus enables the data subject to exercise his other rights, it may be essential to communicate the entire documents or media.

Depending on the extent of the request and the requirement for intelligibility, the employer responsible for processing must therefore decide whether it wishes to disclose all or part of the media, for ease of reference, within the limits set out below, or whether it wishes to sort the data and disclose only the personal data contained therein.

Choosing to disclose the media themselves may seem simpler. Particularly as there are numerous exceptions that allow the employer to exclude many of these documents or at least some of their content.

The Court points out that the data controller must also take account of the rights and freedoms of others, which must not be infringed by the right of access. 

This communication must then be balanced against the rights and freedoms of others, which must not be infringed by the exercise of an individual’s right of access. However, the Court points out that such considerations do not permit a blanket refusal to disclose all data to the data subject: the data controller must endeavor to find ways of disclosing the data which do not infringe the rights and freedoms of others, either by sorting the data by reasonable means or by making certain non-disclosable information anonymous.

The right of access, when exercised by employees or former employees, has its own specific features, particularly with regard to access to professional emails.

The French Data Protection Authority (CNIL) has devoted an article to the exercise of an employee's right of access to professional data and emails.  

Like the Court of Justice, the CNIL affirms the possibility of directly communicating the media containing the requested data, provided that this communication does not infringe other equally protected rights.

Let's take the very classic example of the communication of emails, since these are almost always part of employees' requests for access. The CNIL specifies that their disclosure must not disproportionately infringe the rights of others.

There are several ways in which the content of an email can be protected against disclosure to the concerned data subject requesting access, and even more so to a former employee: 

In this context, the CNIL distinguishes between two situations: where the applicant is the sender or recipient of the emails covered by the request, and where the applicant is only mentioned in the content of the emails. 

In the first case, the employee is presumed to have already been aware of the information contained in the emails and their communication is therefore considered, in principle, to respect the rights of third parties. However, if there are still valid reasons (as discussed above) against disclosure, it is up to the employer to delete, anonymize or pseudonymize the protected content, or even to refuse disclosure in certain cases of abuse, as discussed below. 

For example, it is difficult to envisage communicating to a former employee, who is now a third party to the company, the entirety of an email containing legitimate business secrets or numerous personal details of third parties. Even if the employee was aware of the information when he or she was in post, once he or she has become a third party to the organization concerned, the latter can no longer consider him or her to be part of the circle of confidentiality organized by law or contract.

In the second hypothesis, the selection process is inevitably complicated, since it would require a search of all the emails requested by the employee, which is difficult to envisage, both humanly and technically. The employer must therefore carry out two preliminary checks: 

In the case of emails, where the request is extremely broad and non-targeted, it should be remembered that, unless the content can be anonymized for communication purposes, it is possible to transfer only the personal data contained, i.e. in particular the logs of these e-messages (identity of the person concerned, date, time, sender or recipient, etc.), rather than the emails themselves, even if this means asking the requesting party for further details.

Like a tightrope walker, the data controller must therefore find a solution that both respects the employee's right to access his or her data and does not infringe other rights, particularly those of third parties, protecting the media or content in question, containing the data.

It is precisely because the right of access is difficult for employers to handle that it is regularly exploited. 

However, in legitimately worrying about the complex, time-consuming and costly procedures for responding to dubious requests, the employer often forgets to ask the first essential question: is the request admissible and well-founded?

It should first be remembered that, in the event of an imprecise request, the company can always ask the employee for further details before validating the request, or even exclude certain manifestly unfounded requests.

Over and above this initial filtering (including verifying the identify of the requesting data subject), a growing number of employees or former employees, in dispute with their employer, are making access requests targeting a disproportionate amount of their data, not out of concern for their privacy, but either with the aim of disrupting the company's business, by forcing it to furnish human, technical and financial resources, or with the idea of adding an easy grievance against the company, which could lead to a sanction by the CNIL or judicial damages.

This type of opportunistic request generally seeks disclosure of all the data collected by the company throughout the employee's period of employment, and in particular all their professional emails or IT logs, which represents a phenomenal quantity of documents and, consequently, a great deal of analysis and sorting work.

Many companies receive and process these requests, despite the cost, time and human and technical investment required, without giving sufficient thought to their initial admissibility.

In fact, in addition to the sorting of requests, mentioned above, to refuse the communication of data that would undermine other higher interests or the rights of third parties, there is a very broad formulation in Article 12 paragraph 5 of the GDPR, which allows all or part of a request to be rejected on the grounds that it is inadmissible or unfounded: “Where a data subject's requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may: (...) (b) refuse to comply with those requests”.

It is therefore possible for the data controller to refuse a request for access if it meets these characteristics. This can be compared with the theory of abuse of rights, a philosophy based more on case law and doctrine than on regulations, according to which the fact of diverting a right from its purpose, its spirit, with the idea of harming others, ultimately prohibits the valid invocation of this right.

In what specific situations might employers be able to invoke these grounds in order to reject certain disproportionate claims by current or former employees? To what extent can abuse of rights, an unwritten theory, be applied to the exercise of people's rights under the GDPR?

 

The CNIL and case law, both French and European, have not really had the opportunity to rule on this particular issue, even though the phenomenon is widespread. It is therefore difficult to assess the applicability of this theory to this situation. On the other hand, the spirit of the law - the GDPR and its national applications - is clear: the aim is to protect the privacy of individuals, be they employees, citizens or others, by enabling them to check whether the processing carried out by the entities collecting their data complies with European regulations.

Typically, a request for general access to all company files containing the employee’s personal information, and in particular all emails, for the entire duration of the employee's employment contract (or even simply for many years), without any further specification, is not in itself abusive within the meaning of the GDPR, but already raises some serious suspicions and, in any case, makes the company seriously question its obligations and its ability to process it correctly.

In our view, for such requests to be considered abusive, they need to be corroborated by a particular context: an employee being made redundant, employment tribunal proceedings, a social movement aimed at disrupting the company's activity, a disproportion between employer’s capacity to handle this request and the employee’s interest to obtain a large amount of data, etc. 

Decisions in other countries also seem to point in this direction, in very specific applications that could however be linked to the concept of abuse of rights.

In Germany, for example, the Pankow supervisory authority has ruled  that it is possible, in certain situations, to refuse a request for access if there is a manifest disproportion between the effort required to communicate the data and the interest of the individual in accessing the data. The case in point concerned an individual who had asked the operator of a transport network for surveillance camera footage of one of his recent journeys. After noting that the data controller had already provided the applicant with a set of information complying with the legal requirements (information on the processing and on the data (duration, date, places filmed, etc.)), the authority ruled that the data controller did not necessarily have to provide the video recordings themselves. 

On the one hand, the person concerned had no additional interest in receiving more than the information provided, even though the journey in question was very recent and limited in time (48 hours) and the employee did not normally need these videos to remember it. In addition, obtaining these filtered recordings would have required the company to put in place disproportionate technical and human resources, in particular facial recognition tools that it did not have, in order to sort out the images relating solely to the employee and those, which could not be disclosed, relating to other people or other protected interests.

This decision on the disproportion between the interests of one party and the reasonable capacity of the other is interesting and can be applied to a number of similar situations, particularly when the employee insists on receiving the documents containing his data and not only the data itself.

In Belgium, the data protection authority ruled on the specific case of a request from a former employee for access to all his IT logs (professional connections to his work sessions and various online services). The Belgian authority upheld the employer's refusal, stating that granting the employee's request would have imposed on the employer an obligation disproportionate to the employee's interest in exercising his right to data protection. 

In particular, it explained that the employee had not particularly justified his interest in receiving these IT logs, beyond legitimate information on the processing carried out, and that implementing such a request would have required a systematic, time-consuming and costly search of all the IT logs linked to the employee, in order to exclude third-party data and other protected information.

More generally, the notion of abuse of rights has also been raised by certain foreign authorities or courts, notably in Switzerland. Thus, when the company receives a request that is characterized by (i) an unusual request for access to a very large number of documents or data, and therefore not targeted, (ii) a context likely to characterize a negative intention on the part of the employee, other than the simple exercise of his rights to privacy, and (iii) a need to mobilize disproportionate resources to respond to such requests, in relation to the organization's capacities and the employee's interest in accessing this level of document, the question of rejecting such a request, even partially, on the grounds of abuse of rights (but still on the parallel basis of the GDPR), seems to us to be extremely relevant.

Although the CNIL or the French courts have not yet given a clear ruling on these grounds for rejection, in France, it is legitimate to apply the criteria of the GDPR ("obviously unfounded and excessive"), or even the theory of abuse of rights, to reject all or part of certain requests for access, particularly in the context of employer-employee relations.

Pending clarification from the CNIL or a court, however, we must remain cautious and ensure that we analyze each situation carefully on a case-by-case basis. The principle remains that a request for access does not have to be specifically justified and must therefore be processed, while the rejection thereof - generally in part - remains an exception, the legal justification for which must be scrupulously examined.

Once again, this is a balancing act, involving a search for the right proportionality between the applicant's interest in accessing his or her data and the protection of the legitimate interests of both the controller and third parties.