By Søren Terp Kristophersen, Firm: Norrbom Vinding
A former employee did not have the right to see emails in his work email account with his former employer under the rules of the GDPR because the request was too extensive.
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request, if, for example, the scope of the request for access is excessive.
In this case, the Danish Data Protection Agency had to decide whether an employer was entitled to refuse to provide access to all the contents of a former employee's work email account. The former employee asked to see all emails sent or received via his work email account as well as all other emails sent in the workplace about him.
The employer provided the former employee with his personnel file, email correspondence which contained personal information about him, as well as other material which contained personal information. However, the employer refused to provide access to emails from the former employee's closed work email account. The employer referred to, among other things, the fact that emails sent in connection with the performance of the work were not in themselves personal data.
The former employee was not satisfied with this and therefore complained to the Danish Data Protection Agency.
Working emails primarily describe a function
The Danish Data Protection Agency stated that it is possible for employers to refuse to allow an employee, or a former employee, to see letters, emails and similar signed and / or sent by the person on the grounds that the request for is too far-reaching, especially if it involves a lot of information. This is because personal information in, for example, work-related emails first and foremost relates to the employee's function in his or her position with the employer. However, there may be exceptions to this starting point, for example if emails sent actually contain personal information about the employee, over and above material relating solely to the performance of his or her work functions.
The request was too extensive
Based on the nature of personal information in work emails, the Danish Data Protection Agency found that the employer in this case was entitled to refuse the former employee access to emails from his work email account because the request was too extensive. The Danish Data Protection Agency also emphasised that work email accounts do not constitute an IT system intended to process information about employees.
The Danish Data Protection Agency also emphasised that the employer gave the former employee access to other personal information held about him, apart from that which could potentially be in the closed work email account, just as emphasis was placed on the employer entering into a dialogue with the former employee on how the employer could comply with the request in another way.
- The decision is an example of the extent of employees' and former employees' right to access personal data held by an employer under the GDPR.
- With this decision, the Danish Data Protection Agency has established that former employees typically do not have the right to view the contents of their work email account or receive a copy of it, as there will usually be a large amount of information in this, meaning that a request of this nature will be too extensive.
- However, employers cannot generally disregard work emails, as there may be cases where the employer is aware that work emails contain other personal data than that necessary for the performance of the work task, for example if a purely personal opinion is expressed (as opposed to a professional assessment).