EN
Data protection

Get ready for the GDPR – Employees’ right of access

22 February 2018

The new General Data Protection Regulation that enters into force in May brings along a number of changes and makes a lot of new demands on the companies. In this newsletter, we focus on the employees’ right of access.

A company often registers a wide range of information about its employees. This includes general HR-related information like name, address and account number but also work emails and patterns of movement if the company car has a GPS installed. The new General Data Protection Regulation focuses on the rights of the data subjects, including the right to gain access to the personal data, which the company has registered. Companies should therefore pay particular attention to this right.

What is covered by the employee’s right of access?

An employee has the right to know whether the company has registered information about him or her. If this is the case, the employee is also entitled to gain access to this information.

There are no requirements as to how the employee should gain access to the personal data. In some cases, it will be more practical to provide a copy, while in other cases – for example due to the amount of information – it will be more convenient to ask the employee to come by and go through the data or ask the employee to specify which data or processing activities he or she wants access to. However, the company can never prevent the employee from gaining access to all of his or her personal data, except for the restrictions mentioned below. If the employee has requested access by electronic means, the information must be provided electronically as well.

The Court of Justice of the European Union has previously established that it was sufficient to provide a summary of the registered data that was easy to understand and made it possible to verify the accuracy of the data, the lawfulness of the processing and also allowed the data subject to exercise his or her data protection rights. We don’t know yet if this will be sufficient under the new rules too.

When can the company reject requests?

The new rules do lay down certain exceptions to the right of access where the company can reject an employee’s request for access.

An employee cannot demand to receive personal data if it violates the rights or freedoms of others. This could be confidentiality, the right to private life or trade secrets. In such cases, the company must balance the right of access against the opposing rights of others. Instead of a rejection, the company should rather – to the extent possible – remove the data that could affect the rights of others and then give the employee access to his or her personal data.

An employee’s request can probably also be rejected if it would hinder an investigation or prosecution of a criminal offence. This depends on a specific assessment of whether the employee’s right of access should attaches greater importance than the investigation.

However, an employee doesn’t have the right to be informed of which data that has previously been processed. In other words, employees cannot demand information on data that has been stored but later erased.

Finally, an employee doesn’t have a right of access if the request is unfounded, excessive or put forward repeatedly. This exception is probably not easy to invoke, though, and the rules allow the company to charge a reasonable administration hfee instead.

What does all this mean in practice?

In terms of usual HR-related data like name, address, account number, social security number and paychecks, the new rules entail that companies as a starting point always need to grant access to and provide this information.

If the company is in possession of GPS logs that show where the employee has been located at a certain point in time, the company can probably refuse to hand over these logs, seeing as they may expose trade secrets such as clients’ addresses or potential clients or be used to map the company’s sales strategy.

This also applies to emails and information in a work calendar. Both may contain data that constitutes trade secrets, for example contact information on clients, prices of products, drawings or strategy plans. If this is the case, the employee is not entitled to receive the information.

If the company refuses a request, it is important that it secures proof of the fact that the company has made an assessment of whether it is possible to provide the data. For example in the form of a memo saved in the case files or by describing the assessment of the rejection.

IUNO’s Opinion

The new data protection rules have considerably strengthened the focus on data subjects’ rights but it remains unclear what effect it will have in practice.

It can be a great administrative burden for companies if they have to grant a number of (previous) employees access to all information that has been registered in the company during their employments. Companies can ease the burden by granting remote access to a wide range of this data, provided it can be done in a safe way.

To lessen the administrative burden, IUNO recommends that companies implement efficient systems for routine erasure that ensures that employees’ emails, calendar information, logs and other personal data are erased regularly and no later than when the employee leaves the company. This will also comply with the principle of data minimization that also plays an important part in the new rules.

[The General Data Protection Regulation article 12 and 15 and preamble 63]

A company often registers a wide range of information about its employees. This includes general HR-related information like name, address and account number but also work emails and patterns of movement if the company car has a GPS installed. The new General Data Protection Regulation focuses on the rights of the data subjects, including the right to gain access to the personal data, which the company has registered. Companies should therefore pay particular attention to this right.

What is covered by the employee’s right of access?

An employee has the right to know whether the company has registered information about him or her. If this is the case, the employee is also entitled to gain access to this information.

There are no requirements as to how the employee should gain access to the personal data. In some cases, it will be more practical to provide a copy, while in other cases – for example due to the amount of information – it will be more convenient to ask the employee to come by and go through the data or ask the employee to specify which data or processing activities he or she wants access to. However, the company can never prevent the employee from gaining access to all of his or her personal data, except for the restrictions mentioned below. If the employee has requested access by electronic means, the information must be provided electronically as well.

The Court of Justice of the European Union has previously established that it was sufficient to provide a summary of the registered data that was easy to understand and made it possible to verify the accuracy of the data, the lawfulness of the processing and also allowed the data subject to exercise his or her data protection rights. We don’t know yet if this will be sufficient under the new rules too.

When can the company reject requests?

The new rules do lay down certain exceptions to the right of access where the company can reject an employee’s request for access.

An employee cannot demand to receive personal data if it violates the rights or freedoms of others. This could be confidentiality, the right to private life or trade secrets. In such cases, the company must balance the right of access against the opposing rights of others. Instead of a rejection, the company should rather – to the extent possible – remove the data that could affect the rights of others and then give the employee access to his or her personal data.

An employee’s request can probably also be rejected if it would hinder an investigation or prosecution of a criminal offence. This depends on a specific assessment of whether the employee’s right of access should attaches greater importance than the investigation.

However, an employee doesn’t have the right to be informed of which data that has previously been processed. In other words, employees cannot demand information on data that has been stored but later erased.

Finally, an employee doesn’t have a right of access if the request is unfounded, excessive or put forward repeatedly. This exception is probably not easy to invoke, though, and the rules allow the company to charge a reasonable administration hfee instead.

What does all this mean in practice?

In terms of usual HR-related data like name, address, account number, social security number and paychecks, the new rules entail that companies as a starting point always need to grant access to and provide this information.

If the company is in possession of GPS logs that show where the employee has been located at a certain point in time, the company can probably refuse to hand over these logs, seeing as they may expose trade secrets such as clients’ addresses or potential clients or be used to map the company’s sales strategy.

This also applies to emails and information in a work calendar. Both may contain data that constitutes trade secrets, for example contact information on clients, prices of products, drawings or strategy plans. If this is the case, the employee is not entitled to receive the information.

If the company refuses a request, it is important that it secures proof of the fact that the company has made an assessment of whether it is possible to provide the data. For example in the form of a memo saved in the case files or by describing the assessment of the rejection.

IUNO’s Opinion

The new data protection rules have considerably strengthened the focus on data subjects’ rights but it remains unclear what effect it will have in practice.

It can be a great administrative burden for companies if they have to grant a number of (previous) employees access to all information that has been registered in the company during their employments. Companies can ease the burden by granting remote access to a wide range of this data, provided it can be done in a safe way.

To lessen the administrative burden, IUNO recommends that companies implement efficient systems for routine erasure that ensures that employees’ emails, calendar information, logs and other personal data are erased regularly and no later than when the employee leaves the company. This will also comply with the principle of data minimization that also plays an important part in the new rules.

[The General Data Protection Regulation article 12 and 15 and preamble 63]

Receive our newsletter

Anders

Etgen Reitz

Partner

Søren

Hessellund Klausen

Partner

Kathrine

Skøtt Jespersen

Senior associate

Similar news

logo

13 December 2018

New guidelines on data protection in employment relationships

logo
Data protection

15 May 2018

Get ready for the GDPR – Part 5: E-mails

logo
Data protection

18 April 2018

Get ready for the GDPR – Part 4: Whistleblower arrangements

logo
HR Legal Data protection

23 January 2017

Data security challenged in the home office

logo
HR Legal Data protection

5 November 2013

Mandatory whistleblower systems just around the corner

logo
HR Legal Data protection

21 December 2012

Financial services sector might introduce whistleblowing system

Events

logo
HR Legal Data protection
18 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Stockholm)

logo
HR Legal Data protection
17 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Oslo)

logo
HR Legal Data protection
11 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Copenhagen)

logo
HR Legal Data protection
10 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Helsinki)

// COOKIE INFORMATION POPUP SCRIPT