In a fact sheet published on 5 January 2022, the National Data Protection Authority (CNIL) emphasised that any employee may exercise their right of access before their employer. Exercising this right allows the employee to know whether data that concerns them is being processed. It also allows them to obtain such data in an understandable format, in order to check the accuracy of the data and, if necessary, to have it rectified or deleted.
The CNIL specifies that the right of access relates to personal data and not to documents. Thus, employees cannot request documents based on their right of access. However, the CNIL does allow the disclosure of documents if the recipient of the request considers it more convenient.
This may be the case for emails, as in the event of a request by the employee, the CNIL says that the employee must receive both the metadata (ie, timestamp and details of the recipient) and the personal data contained in the body of the email.
However, the CNIL specifies that the right of access must not infringe the rights of third parties whose data may also be processed. This protection of third parties allows employers to limit the employee's access to only data that cannot disproportionately affect the rights of third parties.
In practice, an employer who is presented with an email communication request from an employee will have to distinguish whether:
- the employee is the author or the recipient of the emails. In this case, the communication of the emails is presumed to respect the rights of third parties (as the employee already had knowledge of the emails), except in exceptional cases (eg, breaches of national security or industry secrets). In these exceptional cases, the employer should first try to anonymise, delete or pseudonymise the data concerning third parties or sensitive data. Only if these measures prove insufficient can the employer refuse access to the data, giving reasons and justification for this decision; or
- the employee is only mentioned in the content of the email. In this case, the employer must find a balance between the employee's right of access and the respect of the rights and freedoms of the other employees, particularly the secrecy of correspondence. The employer must, therefore, first ensure that the means being used to identify the requested emails do not lead to a disproportionate infringement of the rights of other employees at the company. If this is the case, the employer should first invite the relevant employee to specify their request and then refuse the communication if the employee refuses.
However, if the employee's request is precise and it allows the identification of the requested emails without disproportionately infringing the rights of third parties, the employer will have to examine the content of the emails and assess whether their communication is likely to infringe the rights of third parties. A case-by-case analysis will then be necessary.
The CNIL also emphasises that personal emails are subject to a specific regime, as the employer, who is not authorised to access them, must not take note of their content and must provide the email as is to the employee who requested it, provided that the latter is the sender or the recipient.
While the CNIL's fact sheet sheds light on the steps to follow in the event of an employee requesting access to their emails, the assessment of an infringement of the rights of third parties is subjective, which could shape future litigation.
For further information on this topic please contact Marion Guertault or Hélène De Nazelle at Hogan Lovells by telephone (+33 1 53 67 47 47) or email ([email protected]hoganlovells.com or [email protected]). The Hogan Lovells website can be accessed at www.hoganlovells.com.