Employee’s right of access: what must you provide as an employer?
Our lives are increasingly taking place online. Every day, we share sensitive information via our phones, social media and digital payments. This makes protecting our personal data more important and more challenging. As an employer, you also have a major responsibility in this regard: you process your employees’ personal data and must handle it with care. Employees also have the right to know what data you process about them. But what exactly does this right of access entail?
Right of access
The General Data Protection Regulation (GDPR) has been in force since 2018. This law lays down clear rules for the processing of personal data. For employers, this means that they are obliged to guarantee the privacy of their employees.
Under Article 15 of the GDPR, every data subject has the right to access their personal data. This right also applies within the employment relationship. An employee can ask their employer to access their personal data. As an employer, you must comply with this request in principle. This means that the employee has the right to access their personal data and to receive a copy of it. In addition, as an employer, you must explain the purpose for which this data is used and with whom it may be shared.
A request for access may only be refused in exceptional cases. This may be the case if the request is manifestly unfounded or excessive, or if the provision of the data would adversely affect the rights and freedoms of others. In addition, the GDPR Implementation Act (Article 41 UAVG) provides for a restriction: access may be refused if it poses a risk to public safety or the prevention or detection of criminal offences. The threshold for refusing a request in whole or in part remains high.
The form in which an employer must share data with the employee always depends on the specific circumstances. As an employer, you are not always required to provide all requested documents and copies. The important thing is that the employee receives a comprehensible overview, which they can use to check whether the data is correct and is being processed lawfully. This can be done, for example, by means of a comprehensible processing overview of all personal data.
What is not covered by the right of access?
Not all documents need to be shared with the employee. A ruling by the Midden-Nederland District Court (ECLI:NL:RBMNE:2021:1354) states that internal memos containing personal thoughts of colleagues or managers are not covered by the right of access, as long as they are intended solely for internal consultation and deliberation. Examples include internal emails regarding a possible dismissal. Legal analyses based on personal data cannot be classified as personal data as such.
This changes as soon as such documents become part of the employee’s personnel file. The personnel file contains all the documents that the employer keeps about an employee. These include the employment contract, performance or assessment reports, or documents relating to absenteeism. Once documents are included in the personnel file, they are subject to the right of access. The employer must then include this information in an overview or, if that is not possible, provide a copy.
In addition, when providing information, you must not infringe on the rights and freedoms of others. This is laid down in Article 15(4) of the GDPR. An employer must take into account the privacy rights of other employees and third parties. In principle, sharing personal data of colleagues or third parties with the employee is not permitted. However, an employer may send an anonymised version so that no damage is caused to the interests of third parties (ECLI:NL:RBAMS:2024:1219).
Practical examples
In practice, this concerns, for example, official performance reports or interviews, which form part of the personnel file. The personal data contained therein must be provided to the employee. It is often sufficient to provide an overview of the processing of personal data, with a summary of what can be found in each document. Complaints from an employee are another practical example. These often contain personal data of the employee themselves, but sometimes also of third parties. The documents that specifically relate to the employee are subject to the right of access and must therefore be provided in an overview. Information that is confidential or concerns the personal data of others, on the other hand, may be partially refused or anonymised.
In conclusion
It is important for employers to handle access requests from employees with care. In practice, we find that this often gives rise to questions or discussions. Therefore, please do not hesitate to contact us. We will be happy to advise you on how to handle an access request correctly.