Right of access to internal working documents? Must the names of employees be disclosed?
According to the Data Protection Agency, an insurance company was justified in not providing access to an internal working document as well as the names of the company’s employees to a former customer.
The GDPR states that a data subject can request the data controller for access to all personal data held by the controller about him or her. Certain information may, however, be exempt from the right to access data, for instance if a substantial private or public interest overrides the interests of the data subject. In this case, the Data Protection Agency had to decide whether an insurance company was obligated to provide a former customer access to, among other things, an internal working document drawn up by the insurance company.
The case concerned an insurance company that terminated a customer’s insurance cover. Prior to that, the insurance company had collected information on the former customer via the internet and through physical surveillance.
The former customer was not happy about the situation and requested the insurance company for access to all information registered about the customer. The former customer also wished for access to internal working documents, the names and job titles of the employees at the company who had been involved in the case, as well as the name of a medical consultant who had made an assessment of the former customer’s condition. At the same time, the former customer informed the insurance company that proceedings would be issued against it.
The insurance company handed out all data processed about the former customer. The insurance company did, however, refuse to provide access to the names of the employees and medical consultant. Likewise, it would not provide access to an internal working document containing legal assessments and correspondence between the insurance company and its lawyer. These exceptions caused the former customer to lodge a complaint with the Data Protection Agency.
Right of access does not cover all internal working documents
The Data Protection Agency stated that the names of the insurance company’s employees and the medical consultant did not constitute personal data on the former customer within the meaning of the data protection legislation. Consequently, the former customer’s right of access did not comprise such information.
As regards the internal working document, the insurance company argued that it contained personal data about the former customer but that this information had also been contained in other documents to which the former customer had been provided access. The document also contained legal assessments written by the insurance company, some of which composed as preparation for the legal proceedings announced by the former customer.
The Data Protection Agency further stated that internal working documents containing, for example, a legal assessment of whether a data controller may expect a favourable outcome in ongoing or expected legal proceedings may be exempted from the right of access on grounds of the data controller’s private interests. The Data Protection Agency found that the internal document could be exempted from the right of access and attached weight to the fact that the former customer had already been provided access to all personal data held about him or her, which was contained in the working document, in other documents and that such material did not otherwise contain data covered by the right of access. The same applied to the correspondence between the insurance company and its lawyer.
On that basis, the Data Protection Agency found that the insurance company’s handling of the access request was in accordance with the rules on the right of access.
Norrbom Vinding notes
- that the decision of the Data Protection Agency shows that internal working documents as well as correspondence with lawyers may in most cases be exempt from the right of access to personal data.
The content of the above is not, and should not be a substitute for legal advice.
Ius Laboris recently received the prestigious Global Network of the Year award at The Lawyer European Awards 2023.
The long-awaited bill, which introduces a requirement for registration of working time for each individual employee and provides the opportunity to derogate from the 48-hour rule for certain employee groups, has been submitted to the Parliament. The effective date has been postponed to 1 July 2024.
In a new article, Ius Laboris takes a closer look at the issue of whether employers can monitor employees’ social media posts.
On the first Tuesday of October, the parliamentary year kicked off and, as usual, the Government announced its legislative programme for the parliamentary year 2023/2024.
The opportunities associated with AI are immense, but right now it is necessary to address a number of concerns about the use and potential of AI in the workplace.
In a recent judgment, the Supreme Court held that a retention bonus was not remuneration within the meaning of the Insolvency Act. The judgment is likely to have an impact on the question of whether retention bonuses are covered by section 17a of the Salaried Employees Act.