In Decision 41/2020, the Litigation Chamber of the Data Protection Authority (DPA) issued a reprimand to a hospital for its violation of an employee's access and information rights regarding an audit, which had led to the employee's dismissal.
Specifically, the hospital had refused the employee access to the external expert's audit report which had formed the basis of its decision to dismiss the employee. In its decision, published on 3 August 2020, the DPA found that the hospital's retention of the report had infringed:
- Article 15(3) combined with Article 12(4) (right of access) of the EU General Data Protection Regulation (GDPR) on the one hand; and
- Articles 12, 13 and 14 of the GDPR (right to information) on the other.
Employers cannot refuse access to evaluation documents based solely on their nature
The DPA stated that 'personal data' encompasses all types of information – namely:
- private (intimate) information;
- public information;
- professional and commercial information; and
- objective and subjective information.
In particular, the DPA referred to the Nowak judgment (C-434/16) and held that beyond this specific case (which concerned access to an examination), any opinion or assessment concerning a specific person is covered by the notion of personal data.
As for the breach of the right of access provided for in Article 15(3) combined with Article 12(4) of the GDPR, the DPA noted that the right to obtain a copy of personal data is the major change introduced by the GDPR in terms of the right of access. This strengthens data subjects' control over their personal data.
In addition, the DPA specified that Article 15(3) does not require that a copy of the original document be provided to the data subject. Rather, it requires the data controller to provide a copy of the personal data which was processed. This right to obtain a copy of said data does not imply that the data subject has a right to obtain a copy of the original document containing this data, as the sharing of such document could infringe the rights and freedoms of others.
In light of these considerations, the DPA rejected the hospital's objections to the employee's right of access, which were based on confidentiality, copyright and the rights and freedoms of others, on the ground that it had failed to demonstrate their concrete application. As regards the fact that the audit report contained data relating to other employees, the DPA considered that the hospital could have provided only the processed data which concerned the plaintiff and excluded the data which concerned other employees.
Effective access to personal data cannot be intimidating
The DPA held that the hospital's procedure for allowing data subjects to exercise their rights did not comply with Article 12.2 (facilitation of the exercise of rights) of the GDPR. The DPA found that while it cannot be ruled out that a response to a data subject exercising their rights may require a personal meeting, having to systematically make an appointment with the hospital:
- was excessive;
- could be perceived as intimidating; and
- constituted an obstacle to the effective exercise of the rights conferred by the GDPR.
Rather, data subjects should be able to request access to their data directly from the data controller or data protection officer via a dedicated email address.
Article 221(2) of the Data Protection Act 2018 prohibits the DPA from fining government bodies (other than public law entities that offer goods or services on a market). Hence, the DPA issued a reprimand and ordered the hospital to provide access to additional documentation and comply with the data protection regulations within three months.
