The Belgian Data Protection Authority (DPA) recently treated a complaint submitted by a worker against her employer for failure to comply with her request to access her personnel file. The DPA stressed that the employer must erase or anonymise the personal data of third parties in advance, but that the presence of third parties’ personal data cannot be an excuse for the failure to comply with the request for access in time.
The right of access and to obtain a copy
According to the GDPR, workers have the right to access and to obtain a copy of personal data processed about them. In the event of a dismissal or a missed promotion, workers sometimes ask for access to their personnel file.
In the event of such a request, the employer must inform the worker of the action taken within one month of receipt of the request. Depending on the complexity of the request, the employer may also inform the worker within the same time limit that the period will be extended by two months. In addition, the employer must ensure that the access does not affect the ‘rights and freedoms of others’, for example by anonymising the personal data of third parties.
Facts
A worker had asked her employer in an email dated 28 February 2020 to set an appointment to consult all the evaluation documents in her personnel file. Her employer replied that the right of access should not affect the rights and freedoms of third parties and that he therefore first had to check whether the evaluation documents contained information on the basis of which third parties could be identified.
Subsequently, by an email dated 18 June 2020, the employer announced that an the employee could make and appointment to consult her personnel file. However, on 1 July 2020, the employee submitted a complaint to the DPA because she considered that her request for access had not been granted.
Decision of the DPA’s Dispute Chamber
The DPA recalls that the employer must be transparent and must allow its workers to exercise their rights under the GDPR, including the right of access to personal data. Although the right of access should not prejudice the rights or freedoms of others, this consideration cannot result in the worker being deprived of all information. Therefore, the employer must erase or anonymise the personal data of third parties in advance. However, this cannot be used as a reason for not complying with a request for access in time.
The DPA considered that the GDPR had been violated because the employer had failed to respond adequately to the request within one month of receipt (nor had he informed the worker of any extension of the period). The DPA ordered the employer to give the worker access to her personnel file, including the evaluation forms.
Action point
In the event of a request for access to a personnel file, ensure that you proceed as quickly as possible with the anonymisation or erasing of third parties’ personal data, so that you can comply with the request in time. In addition, it would be best to include a clear procedure in your privacy policy to facilitate the right of access.