Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.
In this case, the Danish Data Protection Agency had to decide whether an employer was entitled to refuse to provide access to all the contents of a former employee's work email account. The former employee asked to see all emails sent or received via his work email account as well as all other emails sent in the workplace about him.
The employer provided the former employee with his personnel file, email correspondence which contained personal information about him as well as other material which contained personal information. However, the employer refused to provide access to emails from the former employee's closed work email account. The employer referred to, among other things, the fact that emails sent in connection with the performance of the work were not in themselves personal data.
The former employee was not satisfied with this and therefore filed a complaint to the Data Protection Agency.
Work emails primarily describe a function
The Data Protection Agency stated that it is possible for employers to refuse to allow an employee, or a former employee, to see letters, emails and similar signed and/or sent by the person on the grounds that the request for is too far-reaching, especially if it involves a lot of information. This is because personal information in, for example, work-related emails first and foremost relates to the employee's function in his or her position with the employer. However, there may be exceptions to this starting point, for example if emails sent actually contain personal information about the employee over and above material relating solely to the performance of his or her work functions.
The request was too extensive
Based on the nature of personal information in work emails, the Data Protection Agency found that the employer in this case was entitled to reject the former employee’s request to access emails from his work email account because the request was too extensive. The Data Protection Agency also emphasised that work email accounts do not constitute an IT system intended to process information about employees.
Further, the Data Protection Agency emphasised that the employer gave the former employee access to other personal information held about him, apart from information which could potentially be in the closed work email account, just as emphasis was placed on the employer entering into a dialogue with the former employee on how the employer could comply with the request in another way.
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.