Under the GDPR, every ‘data subject’, including job applicants, (former) employees, etc. has the right to request access to all data held on him or her by the data controller (employer). In addition, the data subject may even request a copy of all this data. At the end of January 2022, the European Data Protection Board (EDPB) published new guidelines on the scope of this right. After the end of the public consultation period, the guidelines will be definitively adopted.
The right of access is foreseen by Article 15 of the GDPR. The purpose of this right is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data, to enable them to verify the lawfulness of the processing and the accuracy of the data processed.
The right of access has three components:
There are no specific formal or substantive requirements for the request, nor does the data subject have to provide a justification for his or her request. The requester does not have to explicitly refer to the right of access or the GDPR.
The right of access has a broad scope: in addition to basic personal data, according to the EDPB it also includes, for example, subjective notes made during a job application, a history of internet and search engine activity, etc.
Unless explicitly stated otherwise, the request must be understood to relate to all personal data relating to the data subject, but the controller may ask the data subject to specify the request if it processes a large amount of data. This applies to each request: if a data subject makes more than one request, it would therefore not be sufficient to provide access only to the changes since the last request.
Even data that may have been processed incorrectly or unlawfully should be provided. Data that has already been deleted, for example in accordance with a retention policy, and is therefore no longer available to the controller, does not need to be provided.
Specifically, the controller will have to search all IT systems and other archives for personal data using search criteria that reflect the way the information is structured, for example, name and customer or employee number.
The main way to respond to a request for access is to provide the data subject with a copy of his or her data, but other approaches (such as providing information orally or through on-site access) may be provided if the data subject requests. It is up to the data controller to decide what is the most appropriate form to provide the data: by post, email (provided that all necessary security safeguards such as encryption are applied), by USB, etc.
In any event, the communication of data and other information relating to the processing must be sent in a concise, transparent, intelligible and easily accessible form, using clear and simple language. As regards the information on the processing, it is not sufficient to simply copy the text of the privacy notice in the reply to the data subject: the text from the privacy notice will have to be specified according to the processing activities relevant to the data subject. For example, if the privacy notice mentions in general terms that employees’ personal data may be transferred to ‘hotels’ for business trips, the reply to the data subject will have to specify to which hotels the employee’s personal data has been transferred.
The request must be answered as soon as possible and in any event within one month of receipt (e.g. a request received on 5 March must be answered by 5 April at the latest). If the last day of the deadline falls on a weekend or public holiday, the deadline will be extended to the next working day. If it is necessary to verify the requester’s identity (e.g. by requesting a copy of his or her identity card), the period will only start from the time when the controller has obtained the necessary security.
This one-month period may be extended by two months if necessary, taking into account the complexity of the request and the number of requests. The data subject must then be informed of the reason for the delay. This exception should be interpreted restrictively, as according to the EDPB, the data controller must proactively put in place systems to respond quickly and accurately to a request to exercise the right of access.
The data controller should take the necessary measures to deal with requests as soon as possible. When processing a large amount of data, the controller will therefore have to build in mechanisms that are appropriate to the complexity of the processing. According to the EDPB, the mere fact that an organisation is large and receives many requests should not automatically lead to an extension of the deadline.
The GDPR allows certain restrictions to the right of access:
Ensure that you have clear internal procedures in place within your company that enable you to respond in a timely and accurate manner to requests for access from data subjects such as employees, former employees and customers.
For more information about employee data privacy