Employer Is Entitled to Refuse to Provide Access to Former Employee’s Emails in Response to the GDPR Data Access Request

The right of access under the General Data Protection Regulation gives individuals the right to obtain a copy of their personal data as well as other supplementary information.  Employees, like other individuals, have a right to make a data subject access request (DSAR) under the GDPR.  Responding to employees’ DSARs is frequently a challenging task for employers, as employees’ personal data, particularly emails, is often stored in unstructured formats and employers will likely need to go through vast amounts of information to find data pertaining to a particular employee, while protecting privacy of other individuals. Employers may deny employees’ access requests in certain circumstances, for example when the requests are manifestly unfounded or excessive.  See GDPR Article 57. While the GDPR suggests that requests may be excessive because of their repetitive character, it does not otherwise define the term “excessive.”

In a recent case decided by the Danish Data Protection Authority, a former employee requested to see all emails sent or received via his work email account as well as all other company’s emails about him. In response, the employer provided the former employee with his personnel file, email correspondence which contained personal information about him, as well as other material which contained personal information.  The employer, however, declined to access to emails from the employee’s closed work email account.

The Data Protection Authority concluded that an employer may refuse to allow a former employee access to work-related correspondence, including emails, on the grounds that the request is excessive, particularly when it involves a lot of information.  The Authority reasoned that work-related emails primarily relate to an employee’s function in his or her position with the employer and that work email accounts do not constitute an IT system intended to process information about employees. The Authority, however, distinguished cases when emails contain personal information about the employee over and above material relating solely to the employee’s work functions.  These emails would presumably need to be disclosed in response to the employee’s DSAR.  Based on the nature of personal information contained in the work emails in that case, the Danish Data Protection Agency found that the employer was entitled to refuse the former employee access to emails from his work email account.

The GDPR approach to handling employees’ DSARs is informative for the U.S. companies as the U.S. legislation is gradually moving towards providing employees with data subject rights.  An exemption for employee data under the California Consumer Privacy Act is currently scheduled to expire at the end of this year.  The California Privacy Rights Act 2020, which is widely expected to be adopted on the referendum this November, would also provide data subject access rights to employees. If the law is adopted, organizations would have only one annual budget cycle to implement data subject access rights to employees before January 1, 2023.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653