As of 25 May 2018 when the General Data Protection Regulation 2016 ("GDPR") came into force, employers across Europe have been faced with increasing numbers of requests from their employees wanting to know what personal data their employer holds about them, how long such data is held and where it is stored, who this data is shared with and how the employer obtained this data. The right of access under Article 15 GDPR is the vehicle used for most, if not all, such requests, known as 'data subject access requests' or 'DSARs' for short.
Below, we discuss the use and significance of the right of access under Article 15 GDPR in the employment sphere, including its scope, prerequisites, what employers can do to adapt, and the consequences of a breach.
The GDPR heralded the biggest change to EU data protection regulation in over twenty years. Its purpose is to harmonise and modernise data protection laws across the EU, taking into account the technology, communication and data concerns of today, and where possible, those of tomorrow. Whilst the stated intention was to create a 'one stop shop' for data protection regulation, in practice the GDPR acts as a framework and leaves key details to be determined by domestic legislation (particularly in the HR sphere).
With regard to right of access under Article 15 GDPR, the basic individual right applies across the board without the need for implementing domestic legislation, as the GDPR is directly effective. However, the framework created by the GDPR leaves countries free to determine the applicable exemptions. This has led to significant variation across the EU in terms of both the scope of the right in practice and the response or outcome that the individual data subject eventually receives, as well as the approach and attitude of national supervisory authorities.
Ahead of the GDPR coming into force, significant media attention in a number of European jurisdictions highlighted the increased individual rights available under the GDPR, and in particular the right of access to personal data held or otherwise processed by a controller or processor, including employers. As might be expected, employers have seen a clear parallel increase in staff awareness of their rights in relation to information held by their employer.
Perhaps unsurprisingly, this has led to a notable surge in requests based on Article 15 GDPR across the EU. Further, whilst some such requests are borne of a genuine employee concern about the treatment of their personal data, anecdotal evidence suggests that access requests are often (if not principally) used as a simple and cost effective way to exert pressure on the employer, whether by increasing an employer’s legal and management costs, threatening the risk of regulatory involvement or with a view to obtaining information (for use in claims or negotiations) at an early stage. This is particularly the case in relation to negotiated exits and terminations, and in negotiations involving employee representatives such as works councils and trade unions. Further, it is notable that, post-GDPR, employees appear increasingly willing to make such requests while still in employment or engagement.
Each employee has the right to access his or her personal data under Article 15 GDPR, irrespective of the length of service or other features of the employment contract. It is not possible to impose a general restriction on the exercise of this right, or for employees to agree to exercise this right in such a way that represents a general restriction.
Whilst we talk about 'employees' in this article, it is worth noting that the right of access is available to current and former staff members (including employees, workers and independent contractors or consultants), including:
As a reminder, this will apply irrespective of whether personal data relating to that individual is processed in the EU or outside the EU. As may be anticipated, this may create tensions between the applicable laws of relevant jurisdictions (and in particular with those laws applicable in the USA, China and Russia, for example).
It is possible for parties other than the individual themselves to make a request; the conditions for making vicarious requests vary across the EU member states, but the broad position is that this can be done with the individual's permission and/or where the individual is not able to make such a request themselves.
Under Article 15 GDPR employees have the right to obtain from the employer confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, the employee can demand further details (set out in Article 15 (1) GDPR) as follows:
Employers must also inform employees of:
Under Article 15(3) GDPR, the employee can also request a copy of the personal data undergoing processing.
There is no specific form in which a request exercising the right of access must be made – a request may be made orally, in writing or electronically. Employers must therefore take steps to ensure that staff can identify an access request under Article 15 GDPR when it is made. In a number of EU member states, it has become common practice for company policies to require any such requests be submitted in writing, whether by email/ letter or using a set form provided by the employer, in order to assist the company in identifying an Article 15 request at the outset. This may not protect such employers in the event of a failure to comply with a request made in another form, but there is some clear practical value in such approaches irrespective of any legal merits.
On receipt of the request, the employer should take steps to verify the identity of the individual who is the subject of the request exercising the right of access (and where different, the person making the request). Aside from the requirement to do so under the GDPR, there are considerable risks in providing the information required under Article 15 GDPR to the wrong person.
Individuals making a request do not have to justify their reasons for doing so. Going further, the courts in a number of jurisdictions (e.g. the UK) have made clear that even where individuals have an acknowledged alternative motive in making such a request, this will generally not defeat the underlying right of access. In other words, even if the individual has an ulterior, non-data protection-related reason for making the request, the employer must generally still comply with its obligations under Article 15 GDPR and provide the information required under that provision.
The employer may provide the information required by Article 15(1) GDPR in writing, by electronic means or, at the request of the employee concerned, orally. Irrespective of the format in which the information is provided, the employer must provide the information required in a precise, transparent, comprehensible, easily accessible form and in clear and simple language.
There are prescribed formalities with regard to the format in which information required under Article 15(3) GDPR must be provided. If the employee submits the request electronically, the provided data must be made available in a common electronic format (e.g. as a PDF file).
The employer must make the information required under an Article 15 request available to the employee "without delay", but at the latest within one month of receipt of the application. In certain circumstances, this period may be extended by a further two months; where the employer believes it will exercise this extension, it must communicate this to the employee. Example reasons for extending the period for reply would be that the request is complex, is likely to generate significant amounts of data as part of initial results or requires multiple searches across numerous systems.
The costs for making these copies are generally to be borne by the employer. That said, in exceptional cases (for example where the individual requests further copies of the same information or if the employee submits excessive or manifestly unfounded applications), the employer may ask the employee to pay an appropriate fee.
Guidance on fees in exceptional circumstances is as a general rule relatively limited across the EU member states. The general position is that the fee can only take into account directly attributable costs – in other words, administrative costs for the information, notification and/or implementation of the requested measure as well as material and postage costs or personnel or machine costs for the specific application process. General personnel and operating costs cannot be factored in to the fee.
As yet, anecdotal evidence suggests that employers have been reluctant to ask for a fee in practice in a good number of EU member states, for a variety of reasons (primarily the lack of clear guidance and the risk of provoking the individual to complain to the national supervisory authority or the risk of further sanction from the supervisory authority itself).
There are a number of steps that employers can and should take in preparation for dealing with such requests (both with a view to ensuring compliance with the GDPR and domestic legislation, and protecting its position and limiting its exposure to risk in relation to employee claims and negotiations with representative bodies). These include:
In the event an employer fails to provide the required information, or fails to do so in time, the individual who made the request can complain to the national supervisory authority. That authority may investigate the alleged breach; where it considers a breach occurred, the most likely first step would be to require the employer to provide the missing information. This in itself is a potential risk; it could place the employer of the radar of the national supervisory authority, and the nature of the matter complained of may open the company up to wider scrutiny.
Supervisory authorities have a range of significant powers to investigate, both in the event of a complaint and of their own accord. Such authorities also have key enforcement powers, asking questions, serving notices requiring the provision of information and impose fines and other sanctions. The potential financial consequences of a breach of Article 15 GDPR are significant; national authorities can impose in theory administrative fines of up to EUR 20 million or 4% of the total annual worldwide turnover of the previous financial year, whichever is larger. They can (theoretically) also impose a ban on processing activities or suspend data transfers, which may well have wider implications for an employer's business.
Individuals are not restricted to simply complaining to the appropriate national supervising authority; in most jurisdictions, if not all, they can also apply to the courts seeking a remedy in relation to an alleged breach. The nature of the claims available, and the way in which such claims should be structured, varies across the EU member states, but the underlying commonality is that in most cases, employees may be entitled to compensation in respect of a breach of obligations under Article 15 GDPR. As an overall comment, whilst there are certain trends discernible in the compensatory awards made to individuals affected by a breach, there are no clear limits - this depends on the factors considered, e.g. the nature / type and extent of the damage suffered as well as its type and extent.
As might be anticipated, the attitude of national supervisory authorities with regard to fines has so far been varied.
In essence, there is as yet no clear EU-wide approach, with regard to national supervisory authorities or national courts, in respect to infringements of Article 15 GDPR. The attitude of supervisory authorities, and the nature of any sanctions (including the level of any fines) imposed is by no means consistent and varies greatly across the EU. It remains to be seen to how these practices and approaches develop across the EU in the coming months and years.
