GDPR Article 15
When was the last time a data subject asked you to disclose personal data processed by you?
Data subjects are increasingly aware that they have been given new rights under the General Data Protection Regulation (GDPR) in order to effectively protect their personal data.
According to Article 15(1) GDPR, data subjects have a right to data protection information: information about which of their personal data is processed by a controller. The right to data protection information is therefore a core element of the GDPR to fulfill the transparency obligations of the controller.
It protects the data subjects in particular and is now also becoming increasingly popular in the employment relationship. From our practice, we know that more and more employees are using the right to data access to obtain information from their employer about which personal data is being or has been processed by them in the context of the employment relationship.
We are therefore often asked which and, in particular, to what extent information must be disclosed by the employer in response to the request for information by (former) employees.
Definition of personal data
Firstly, the question arises as to which information is covered by the term "personal data" and is therefore part of the information provided by the employer. In addition, for each request for information, it must be clarified in what form and to what extent the information may be disclosed. This is because Article 15(3) GDPR stipulates that data subjects may also receive a copy of their personal data. should receivewhich are the subject of the processing.
For example, it must be clarified whether complete copies of files must be made and handed over. How should the protection of third-party rights or the protection of business secrets be handled?
According to the wording of Article 15(1) GDPR, the right to information under data protection law relates to the provision of information about the personal data processed by the employer (subject matter of the processing). However, this does not regularly mean the disclosure of all documents, emails, images, evaluations, etc. that contain, for example, the name of the data subject or any other information about this person.
There is therefore no need for a 1:1 copy of every document in which, for example, the name or email address of the person concerned appears (see LG Köln Az. 26 O 25/18 and EuGH Rs. C-372/12).
In our opinion, the right of access pursuant to Article 15 GDPR does not constitute a justified general right to copies of all documents or files containing personal data of data subjects.
Dealing with authorities
In order to comply with the requirements set out by the data protection supervisory authorities for the request for information, we recommend implementing the request for information in a staggered process.
In a staggered process, the persons requesting information (employees) first receive the information specified in Article 15(1) GDPR after submitting a request for information. In addition, you will be provided with a copy containing an extended master data record with the essential relevant information that is the subject of the processing.
We are happy to support you in implementing the requirements in accordance with Article 15 GDPR. For example, you can give employees access to specially organized information systems from which they can retrieve the relevant personal data themselves.