Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request, if, for example, the scope of the request for access is excessive.
In this case, the Danish Data Protection Agency had to decide whether an employer was entitled to refuse to provide access to all the contents of a former employee’s work email account. The former employee asked to see all emails sent or received via his work email account as well as all other emails sent in the workplace about him.
The employer provided the former employee with his personnel file, email correspondence which contained personal information about him, as well as other material which contained personal information. However, the employer refused to provide access to emails from the former employee’s closed work email account. The employer referred to, among other things, the fact that emails sent in connection with the performance of the work were not in themselves personal data.
The former employee was not satisfied with this and therefore complained to the Danish Data Protection Agency.
Working emails primarily describe a function
The Danish Data Protection Agency stated that it is possible for employers to refuse to allow an employee, or a former employee, to see letters, emails and similar signed and / or sent by the person on the grounds that the request for is too far-reaching, especially if it involves a lot of information. This is because personal information in, for example, work-related emails first and foremost relates to the employee’s function in his or her position with the employer. However, there may be exceptions to this starting point, for example if emails sent actually contain personal information about the employee, over and above material relating solely to the performance of his or her work functions.
The request was too extensive
Based on the nature of personal information in work emails, the Danish Data Protection Agency found that the employer in this case was entitled to refuse the former employee access to emails from his work email account because the request was too extensive. The Danish Data Protection Agency also emphasised that work email accounts do not constitute an IT system intended to process information about employees.
The Danish Data Protection Agency also emphasised that the employer gave the former employee access to other personal information held about him, apart from that which could potentially be in the closed work email account, just as emphasis was placed on the employer entering into a dialogue with the former employee on how the employer could comply with the request in another way.