Whether it's a current employee or an ex-employee following the termination of their employment contract, requests for access to personnel files, governed by the GDPR, require employers to comply with strict rules. In this article, we will briefly review the main obligations incumbent on employers and give some essential guidelines.
The principle - the right to access and copy personal data
The GDPR gives workers the right to ask employers whether data concerning them is being processed, and if so, to have access to it and request a copy. In particular, this right must enable employees to check the accuracy of their personal data collected in the course of the employment relationship.
Limitations - caution is advised
The employer cannot simply refuse the employee access to his or her personal file, but certain limits may be invoked.
1. Not infringing the rights and freedoms of others (article 15(4) GDPR): Access may be restricted to protect, among other things, the business secrets, intellectual property and personal data of third parties.
2. The request is manifestly unfounded or excessive (article 12(5) GDPR): A request could be considered manifestly excessive if it is repeated, used to harass or harm the responsible data controller, or presents a disproportionate administrative burden.
3. Invoking limitations based on Union or national law (Article 23(1)(f) GDPR): This exception requires the application of a number of specific conditions.
In most cases, the main reason for refusing or limiting access will be the prohibition on infringing the rights and freedoms of others. However, the employer should always be able to demonstrate, in concrete terms, the risk identified and give preference to anonymisation or deletion of sensitive data rather than outright refusal.
Ultimately, what should be done in case of a request for access and a copy?
1. Identify and qualify the data concerned (personal data, data concerning a third party or data covered by professional secrecy, etc.)
2. Limit access where necessary and give preference to anonymisation or deletion of sensitive data rather than refusal.
3. Inform the employee of any restrictions or refusals, and of the possibility of referring the matter to the Data Protection Authorities or taking legal action.
4. Respect the deadlines (in theory one month from the date of the request, with the possibility of an extension)
Lastly, and to summarise, in the event of a request for access to personnel files, we strongly recommend a cautious approach (avoid refusal), a pragmatic approach (avoid overload) and a proactive approach (process the request quickly).
You may also be interested in this article: CDD ou CDI, comment faire son choix ?
Anneleen Van de Meulebroucke, Sacha Henet and Catherine Lipski, Eubelius Lawyers