Newsflash
Data protection and privacy

The Data Protection Authority (DPA) recently treated a complaint submitted by a worker against her employer for failure to comply with her request to access her personnel file. The DPA stresses that the employer must erase or anonymise the personal data of third parties in advance, but that the presence of third parties’ personal data cannot be an excuse for the failure to comply in time with the request for access.

The right of access and to obtain a copy

According to the GDPR, workers have the right to access and to obtain a copy of the personal data processed about them. In the event of a dismissal or a missed promotion, workers sometimes ask for access to their personnel file.

In case of such a request, the employer must inform the worker of the action taken within one month of receipt of the request. Depending on the complexity of the request, the employer may also inform the worker within the same time limit that the period will be extended by two months. In addition, the employer must ensure that the access does not affect the “rights and freedoms of others”, for example by anonymising the personal data of third parties.

Facts

A worker had asked her employer in an e-mail dated 28 February 2020 to set an appointment to consult all the evaluation documents in her personnel file. The employer replied that the right of access should not affect the rights and freedoms of third parties and that he therefore first had to check whether the evaluation documents contained information on the basis of which third parties could be identified.

Subsequently, by an e-mail dated 18 June 2020, the employer announced that an appointment could be made to consult the personnel file. However, on 1 July 2020, the employee submitted a complaint to the DPA because she considered that her request for access had not been granted.

Decision of the DPA’s Dispute Chamber

The DPA recalls that the employer must be transparent and must allow its workers to exercise their rights under the GDPR, including the right of access to personal data. Although the right of access should not prejudice the rights or freedoms of others, this consideration may not result in the worker being deprived of all information. Therefore, the employer must erase or anonymise the personal data of third parties in advance; however, this cannot be used as a reason for not complying in time with a request for access.

The DPA considered that the GDPR had been violated because the employer had failed to respond adequately to the request within one month of receipt (nor had he informed the worker of any extension of the period). The DPA ordered the employer to give the worker access to her personnel file, including the evaluation forms.

Action point

 In the event of a request of access to a personnel file, ensure that you proceed as quickly as possible with the anonymisation or erasing of the personal data of third parties, so that you can comply with the request in time. Moreover, it would be best to include a clear procedure in your privacy policy to facilitate the right of access. Of course, we can always assist you in preparing this policy.