By Mayra Cavazos, Senior Consultant, Tueoris, LLC
Responding in an appropriate and adequate manner to data subject access requests from employees or former employees in the European Union (“EU”) is often far more complicated than it may first appear. One of the most frequent questions we receive is about exactly what personal data a controller/employer is legally bound to provide to employees or former employees exercising their access rights. Just how far and how deep a company must go into its possibly vast archives of employee personal data is not made entirely clear by the EU General Data Protection Regulation (“GDPR”). However, a viable solution can be ascertained by looking to core GDPR principles, exceptions, and to EU Member State guidance.
Data Subject Right to Access and GDPR Article 15
GDPR Article 15 sets out two primary components related to data subjects’ right of access. The first component is clear: data subjects have a right to obtain confirmation on whether a data controller is processing personal data about them. Employers naturally process personal data of their employees as required to facilitate the employment relationship and to comply with legal obligations such as employment, social security, social protection, and taxation laws. Verifying this to employees or former employees is, in practice, a straightforward exercise.
The second component, however, is far less clear: if a controller confirms the processing, then it must provide data subjects with access to the personal data. But what data? The depth to which an employer must go to provide data subjects with personal data about them is a serious consideration for an organization’s human resources group. This is particularly important because access requests received from current or former employees often carry a red flag indicating that the requestor may be preparing litigation against the organization for an actual or perceived wrong.
This second component of Article 15 echoes language from Article 13, which specifies the information about the processing of personal data that must be provided to data subjects at the time of collection. This includes the purposes of the processing, domestic and international recipients of the personal data, the time periods for which the personal data will be processed and, if applicable, the existence of automated decision-making activities and the legitimate interests pursued by the controller. Thus far, fulfillment of the request should be relatively straightforward. Article 15(3), however, requires that the controller provide a copy of the actual personal data undergoing processing.
Practical Fulfillment of Data Subject Access Requests
Reading Article 15(3) in a strict manner, it appears that the employer is required to deliver or make available all personal data that it holds (for example, all e-mail communications from, to, or mentioning the data subject), as Article 15 does not specify a threshold. However, article 15(4) and Recital 63 make clear that this right is not by any means absolute. Recital 63 states that data subjects have a right to access their personal data in order to be aware of and verify the lawfulness of the processing. The recital states further that this right should not adversely affect the rights and freedoms of third parties.
While it is not clear whether the drafters of Article 15 intended for access rights to be used for purposes such as obtaining information that could potentially be used against their employer in legal actions unrelated to data privacy (e.g., employment law actions), it seems that a request cannot be rejected solely on that basis. In Dawson-Damer v. Taylor Wessing, the appellants requested access to their personal data under the UK Data Protection Act 1998. The appellee refused to fulfill the request basing part of its decision on the fact that the real motive for the request was to use the information in legal proceedings. The Court held that denying an access request based on the “collateral intention” would entitle the creation of a new ground for the rejection of access requests contrary to the EU Directive 95-46-EC which aimed to protect the fundamental rights of natural persons under EU law. Although the decision pre-dates GDPR, the outcome is instructive.
Similarly, access requests may be used as an ulterior path to gaining access to sensitive or otherwise private personal data of other individuals. Recital 63 specifically states that consideration of factors such as the rights of other individuals should not automatically result in a refusal to provide access to requested personal data.
In each of these instances, the controller/employer must carefully consider how the request can be adequately fulfilled in a manner which protects their legitimate business and legal interests while respecting the rights of the data subjects. Factors such as reasonableness of the request, actual impact on other individuals, and options such as redaction or obfuscation of some data need to be weighed. And while EU Data Protection Authorities (“DPAs”) and courts have expressed that the motive of an access request has limited relevance, a controller may be justified in only partially fulfilling the request and in reasonably withholding certain information.
Employers should also consider that due to the nature of the relationship between the data subject and the third party whose personal data may be disclosed in fulfilling to the request, even with the obfuscation, the third party’s identity may still be revealed. Therefore, employers should ensure that they have a valid legal basis for making that disclosure, whether intended or unintended. Individuals such as line managers and supervisors should be informed (in policies or contracts), that it may be necessary to disclose their personal data in response to data subject access requests from current or former employees, and employers should consider (depending on the facts and circumstances of the request and disclosure) whether consent may be necessary. In instances where the legal basis for disclosure is legitimate interest, employers should conduct an analysis balancing their interest in fulfilling the request against the expectations and rights of the third parties involved. Line managers may naturally expect part of their personal data to be provided to employees that were part of their team (e.g., performance reviews), however, a third-party vendor that only exchanged a couple of communications with the data subject in question may not.
Separate from the disclosure of personal data of parties other than the requestor, is the issue of possible disclosure of privileged or confidential business information. Employers are not expected to provide information containing information such as trade secrets, confidential communications, and intellectual property. In such instances, the ancillary information should be segregated, if possible, and the request otherwise fulfilled.
Recital 63 recognizes that the employer should have the opportunity to narrow the scope of a request in instances where it processes or otherwise maintains a large volume of data concerning the employee or former employee, by requesting that he or she specify the information or processing activities in question. This may be necessary where an individual has been employed by a single employer for a long period of time and organization holds a large volume of data such as recruitment data, benefits, salary, bonuses, personnel files, illness records, health insurance, monitoring and appraisals, personnel reports, emails, severance, gym memberships, and so on. Where the employer finds it necessary to request that the data subject narrow the request, it should confirm to the requestor, without undue delay, their receipt of the request and that the data subject specify the information that is relevant to the request.
Guidance from the Data Protection Authorities
Despite the anticipation of streamlined, consistent approaches to privacy and data subject rights under GDPR, there is still no uniform approach across the EU for handling access requests from employees or former employees. In the United Kingdom, the Information Commissioner’s Office (ICO), advises that controllers may reasonably withhold some personal data when it involves information about others, particularly, about the employer, other employees, and clients. The ICO recommends that when there is a question on whether or not to provide information, the employer should conduct an analysis balancing the rights, freedoms, and expectations of the individuals other than the requestor whose personal information may be produced in response to the access request. Similar to a legitimate interest assessment, the analysis should take into account the employer’s legitimate interests for fulfilling the request and answer the question on whether an individual could reasonably be aware that their personal data will be shared with the requestor or other third parties.
In France, guidance from the Commission Nationale de l’Informatique et des Libertés (CNIL) takes a slightly different tone and approach. The CNIL guidance provides that applicants, employees and former employees should have access to personal data related to the recruitment process (including commentaries and scorings made by the recruiter, if the information was used to make a hiring decision), career history, remuneration, performance reviews, disciplinary file, and any other information used to make a decision about the employee (such as a promotion or a salary increase). While the CNIL is silent on personal data contained in email communications involving the employee making the request, it would appear that emails and other types of communications affecting third parties would still be subject to a balancing test.
Evaluating and fulfilling access requests in the human resources environment can be a difficult, often burdensome effort to businesses. Getting it right, however, can be critical, particularly considering the true uses that may be made of the personal data provided. An understanding of the nuances of the regulatory obligations, supplemented by DPA and court decisions, is an increasingly important component of responding to access requests in a manner that is adequate and compliant, yet protects the valid and legitimate interests of the employer. It will be essential that the privacy function and the HR team collaborate effectively and have a well-understood approach to fulfilling these requests. They should also (of course) seek to leverage their up-to-date and well-maintained Article 30 Records of Processing to identify the location and purposes of processing of data about employees, former employees, and applicant’s personal data, in order to expedite requests. What turns out to be a highly complicated corner of the GDPR truly requires a very well-considered plan that has been communicated to and understood by relevant stakeholders.