Defining the Limits of the Right of Access to Employee’s Personal Data
Through a claim from an employee of an IT consultancy, the Litigation Chamber of the Data Protection Authority (“the DPA”) has clarified the boundaries of the employer’s obligations when faced with a request of access to, and a copy of, the former’s personal data. It (i) elaborates on the accepted and unaccepted grounds of refusal for the employer and (ii) underlines that anonymisation constitutes a favoured alternative (Decision 15/2021 of 9 February 2021 of the Litigation Chamber of the Data Protection Authority).
While in service, the employee of an IT consultancy company requested access to, and a copy of, all his personal data (e-mails, IT logs, photos, personal record with annotations and evaluations). The employer partially complied, with the exception of certain elements, the communication of which would not be allowed under the GDPR (according to the employer). Only a mapping of his personal data with the objectives pursued and the recipient of the data, the content of personal data processed by the employer, CV and ID photos were thus communicated. Deeming this reply unsatisfactory, the employee, whose employment relationship was in the meantime terminated upon common agreement, filed a complaint with the Litigation Chamber of the DPA. Starting from the premise that there is no provision in Belgian law that restricts the right of an employee to access his / her personal data processed by the employer, it analysed each ground of refusal put forward by the employer.
First, the DPA focused on the request for personal records with annotations, which was denied by the employer on the ground that it would infringe the protection of personal data of the claimant’s former managers. Based on the case-law of the Court of Justice of the European Union, the DPA adopts a different position, considering that anonymising the records prior to its communication would have been enough to preclude such infringement. Consequently, a mere refusal cannot be accepted and anonymised records must be communicated. The same reasoning is upheld regarding the evaluations, although in this particular case, there were no evaluations of the employee concerned.
Second, the DPA turned to IT logs and took the opportunity to underline that the employer must ensure an efficient and reliable system of IT logs (allowing to browse through them). Here again, the possibility to anonymise such data before communicating the information rules out the possibility of a mere refusal based on third parties’ (e.g. authors of IT logs) rights to privacy. Contrarily, the fact that such communication would create a disproportionately heavy workload for the employer in view of the amount of data to check was deemed to be a valid ground of refusal by the DPA.
Third, the DPA examined the request for access to, and a copy of, the employee’s e-mails. Following the same reasoning, the DPA rejected several grounds of refusal put forward by the employer. The fact that the claimant already had access when he was in service is deemed irrelevant. The risk of an infringement of privacy of recipients, is also ruled out in view of the possibility of anonymisation. The confidentiality of electronic communication is also set aside, given that it only applies to third parties, and not to the author and the recipient(s). Eventually, a refusal based on the necessity to protect the trade secrets of the company triggered a different conclusion. Provided a genuine risk in that regard is ascertained, it is deemed a valid justification for refusing to grant access to and provide copies of the employee’s e-mails. In this particular case, the fact that the employee was aware of the identity of his employer’s clients, the invoiced amounts and sensitive information, along with the fact that he had already published confidential information on a private blog, was determined as proof of a genuine risk.
Finally, the DPA analysed the employee’s claim that his image rights would have been infringed by the recording and displaying of photos taken during professional events. The DPA considered (i) the absence of proof that such photos existed and on (ii) the possibility for the employees to notify their refusal to have photos of themselves recorded or displayed, to conclude that there was no infringement of his image rights.
On this basis, the DPA ordered the communication of (anonymised) personal records, with annotations, lacking in the initial response of the employer. However, underlining the efforts of the latter and the reasonable privacy concerns grounding the refusals to grant access to all the personal data requested, the DPA concluded that no sanction (i.e. fines or reprimand) should be imposed.