Under the EU General Data Protection Regulation (GDPR), data controllers must provide data subjects with access to all of the personal data that the data controller processes about them if the data subject requests it. However, data controllers may refuse to act on such a request if, for example, the scope of the request for access is too excessive.

Facts

In a recent case, the Data Protection Agency considered whether an employer was entitled to refuse to provide access to all of the contents of a former employee's work email account. The former employee asked to see all of the emails sent or received via his work email account as well as all other emails sent in the workplace about him.

The employer provided the former employee with his personnel file, email correspondence which contained personal information about him and other material which contained personal information. However, the employer refused to provide access to emails from the former employee's closed work email account. The employer referred to, among other things, the fact that emails sent in connection with the performance of the job were not in themselves personal data.

The former employee was unsatisfied with this and filed a complaint to the Data Protection Agency.

Work emails primarily describe a function

The Data Protection Agency stated that it is possible for employers to refuse to allow an employee, or a former employee, to see letters, emails and similar signed or sent by the person on the grounds that the request for access is too far-reaching, especially if it involves a lot of information. This is because personal information in, for example, work-related emails first and foremost relates to an employee's function in their position with their employer. However, there may be exceptions to this starting point (eg, if emails sent contain personal information about the employee over and above material relating solely to the performance of their work functions).

Request was too extensive

Based on the nature of personal information in work emails, the Data Protection Agency found that the employer in this case was entitled to reject its former employee's request to access emails from his work email account because the request was too extensive. The Data Protection Agency also emphasised that work email accounts do not constitute an IT system intended to process information about employees.

Further, the Data Protection Agency emphasised that the employer gave the former employee access to other personal information held about him, apart from information which could potentially be in his closed work email account, just as emphasis was placed on the employer entering into a dialogue with the former employee on how the employer could comply with the request in another way.

Comment

The decision is an example of the extent of employees' and former employees' right to access personal data held by an employer under the GDPR.

With this decision, the Data Protection Agency has established that former employees do not typically have the right to view the contents of their work email account or receive a copy thereof, as there will usually be a large amount of information in this account, meaning that a request of this nature would be too extensive.

However, employers cannot generally disregard work emails, as there may be cases where they are aware that work emails contain personal data other than that necessary for the performance of the role (eg, if a purely personal opinion is expressed (as opposed to a professional assessment)).