GDPR Article 15
When was the last time a data subject asked you to disclose personal data processed by you?
More and more frequently, those affected are aware that they are General Data Protection Regulation (GDPR) have been given new rights to effectively protect their personal data.
Pursuant to Article 15(1) GDPR have affected The right to data protection information: information about which of their personal data is processed by a controller. The right to data protection information is therefore a core element of the GDPRto fulfill the transparency obligations of those responsible.
It protects the data subjects in particular and is now also becoming increasingly popular in the employment relationship. From our practice, we know that more and more employees are using the right to data access to obtain information from their employer about which personal data is being or has been processed by them in the context of the employment relationship.
We are therefore often asked which and, in particular, to what extent information must be disclosed by the employer in response to the request for information by (former) employees.
Definition of personal data
Firstly, the question arises as to which information is covered by the term "personal data" and is therefore part of the information provided by the employer. In addition, it must be clarified for each request for information in what form and to what extent the information may be disclosed. This is because Article 15(3) GDPR provides that affected persons also receive a copy of their personal data should receivewhich are the subject of the Processing are.
For example, it must be clarified whether complete copies of files must be made and handed over. How should the protection of third-party rights or the protection of business secrets be handled?
According to the wording of Article 15(1), the right to information under data protection law concerns GDPR a request for information about the personal data processed by the employer (subject of the Processing). However, this does not regularly mean the publication of all documents, e-mails, images, evaluations, etc., which contain, for example, the name of the person concerned or any other information about this person.
There is therefore no need for a 1:1 copy of every document in which, for example, the name or email address of the person concerned appears (see LG Köln Az. 26 O 25/18 and EuGH Rs. C-372/12).
The Right to information in accordance with Article 15 GDPR does not, in our opinion, constitute a justified general claim to copies of all documents or files that personal data of those affected.
Dealing with authorities
In order to comply with the requirements set out by the data protection supervisory authorities for the request for information, we recommend implementing the request for information in a staggered process.
In a staggered process, the persons seeking information (employees) first receive the information specified in Article 15(1) after submitting a request for information. GDPR information mentioned above. In addition, you will receive a copy with an extended master data record containing the essential relevant information that is the subject of the Processing are made available.
We are happy to support you in implementing the requirements in accordance with Article 15 GDPR. For example, you can give employees access to specially organized information systems, from which they can select the relevant information themselves. personal data can call up.
German 
English 
Italian 
French