Access to work emails? Can a request to access data be too extensive?

Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.

Norrbomvinding 10237

In this case, the Danish Data Protection Agency had to decide whether an employer was entitled to refuse to provide access to all the contents of a former employee's work email account. The former employee asked to see all emails sent or received via his work email account as well as all other emails sent in the workplace about him.

The employer provided the former employee with his personnel file, email correspondence which contained personal information about him as well as other material which contained personal information. However, the employer refused to provide access to emails from the former employee's closed work email account. The employer referred to, among other things, the fact that emails sent in connection with the performance of the work were not in themselves personal data.

The former employee was not satisfied with this and therefore filed a complaint to the Data Protection Agency.

Work emails primarily describe a function
The Data Protection Agency stated that it is possible for employers to refuse to allow an employee, or a former employee, to see letters, emails and similar signed and/or sent by the person on the grounds that the request for is too far-reaching, especially if it involves a lot of information. This is because personal information in, for example, work-related emails first and foremost relates to the employee's function in his or her position with the employer. However, there may be exceptions to this starting point, for example if emails sent actually contain personal information about the employee over and above material relating solely to the performance of his or her work functions.

The request was too extensive
Based on the nature of personal information in work emails, the Data Protection Agency found that the employer in this case was entitled to reject the former employee’s request to access emails from his work email account because the request was too extensive. The Data Protection Agency also emphasised that work email accounts do not constitute an IT system intended to process information about employees.

Further, the Data Protection Agency emphasised that the employer gave the former employee access to other personal information held about him, apart from information which could potentially be in the closed work email account, just as emphasis was placed on the employer entering into a dialogue with the former employee on how the employer could comply with the request in another way.

Norrbom Vinding notes

  • that the decision is an example of the extent of employees' and former employees' right to access personal data held by an employer under the GDPR; and
  • that with this decision the Data Protection Agency has established that former employees typically do not have the right to view the contents of their work email account or receive a copy of it, as there will usually be a large amount of information in this account, meaning that a request of this nature will be too extensive; but
  • employers cannot generally disregard work emails, as there may be cases where the employer is aware that work emails contain other personal data than that necessary for the performance of the work task, for example if a purely personal opinion is expressed (as opposed to a professional assessment).

The content of the above is not, and should not be a substitute for legal advice.

More about the subject