As of 25 May 2018 when the General Data Protection Regulation 2016 ("GDPR") came into force, employers across Europe have been faced with increasing numbers of requests from their employees wanting to know what personal data their employer holds about them, how long such data is held and where it is stored, who this data is shared with and how the employer obtained this data. The right of access under Article 15 GDPR is the vehicle used for most, if not all, such requests, known as 'data subject access requests' or 'DSARs' for short.

Below, we discuss the use and significance of the right of access under Article 15 GDPR in the employment sphere, including its scope, prerequisites, what employers can do to adapt, and the consequences of a breach.

The wider context: individual data rights in the EU

The GDPR heralded the biggest change to EU data protection regulation in over twenty years. Its purpose is to harmonise and modernise data protection laws across the EU, taking into account the technology, communication and data concerns of today, and where possible, those of tomorrow. Whilst the stated intention was to create a 'one stop shop' for data protection regulation, in practice the GDPR acts as a framework and leaves key details to be determined by domestic legislation (particularly in the HR sphere).

With regard to right of access under Article 15 GDPR, the basic individual right applies across the board without the need for implementing domestic legislation, as the GDPR is directly effective. However, the framework created by the GDPR leaves countries free to determine the applicable exemptions. This has led to significant variation across the EU in terms of both the scope of the right in practice and the response or outcome that the individual data subject eventually receives, as well as the approach and attitude of national supervisory authorities.

Ahead of the GDPR coming into force, significant media attention in a number of European jurisdictions highlighted the increased individual rights available under the GDPR, and in particular the right of access to personal data held or otherwise processed by a controller or processor, including employers. As might be expected, employers have seen a clear parallel increase in staff awareness of their rights in relation to information held by their employer.

Perhaps unsurprisingly, this has led to a notable surge in requests based on Article 15 GDPR across the EU. Further, whilst some such requests are borne of a genuine employee concern about the treatment of their personal data, anecdotal evidence suggests that access requests are often (if not principally) used as a simple and cost effective way to exert pressure on the employer, whether by increasing an employer’s legal and management costs, threatening the risk of regulatory involvement or with a view to obtaining information (for use in claims or negotiations) at an early stage. This is particularly the case in relation to negotiated exits and terminations, and in negotiations involving employee representatives such as works councils and trade unions. Further, it is notable that, post-GDPR, employees appear increasingly willing to make such requests while still in employment or engagement.

1. Who can assert the right to information under Article 15 GDPR?

Each employee has the right to access his or her personal data under Article 15 GDPR, irrespective of the length of service or other features of the employment contract. It is not possible to impose a general restriction on the exercise of this right, or for employees to agree to exercise this right in such a way that represents a general restriction.

Whilst we talk about 'employees' in this article, it is worth noting that the right of access is available to current and former staff members (including employees, workers and independent contractors or consultants), including:

  • individuals employed, engaged or otherwise working in an EU member state;
  • individuals employed or engaged by an entity based in an EU member state; and
  • individuals who are nationals of an EU member state (even if they are based or otherwise working overseas).

As a reminder, this will apply irrespective of whether personal data relating to that individual is processed in the EU or outside the EU. As may be anticipated, this may create tensions between the applicable laws of relevant jurisdictions (and in particular with those laws applicable in the USA, China and Russia, for example).

It is possible for parties other than the individual themselves to make a request; the conditions for making vicarious requests vary across the EU member states, but the broad position is that this can be done with the individual's permission and/or where the individual is not able to make such a request themselves.

2. What information do I have to provide as an employer?

Under Article 15 GDPR employees have the right to obtain from the employer confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, the employee can demand further details (set out in Article 15 (1) GDPR) as follows:

  • the purpose(s) of the data processing
  • the categories of personal data processed
  • previous, current or future data recipients
  • the period for which such data is stored
  • the source or origin of the data, if the data did not come from the employee themselves
  • the existence of any automated decision-making processes involving the data

Employers must also inform employees of:

  • the right to object to processing;
  • other individual rights available including the right of erasure, rectification and data portability; and
  • the right to complain to a supervisory authority.

Under Article 15(3) GDPR, the employee can also request a copy of the personal data undergoing processing.

3. Are there certain formal requirements?

There is no specific form in which a request exercising the right of access must be made – a request may be made orally, in writing or electronically. Employers must therefore take steps to ensure that staff can identify an access request under Article 15 GDPR when it is made. In a number of EU member states, it has become common practice for company policies to require any such requests be submitted in writing, whether by email/ letter or using a set form provided by the employer, in order to assist the company in identifying an Article 15 request at the outset. This may not protect such employers in the event of a failure to comply with a request made in another form, but there is some clear practical value in such approaches irrespective of any legal merits.

On receipt of the request, the employer should take steps to verify the identity of the individual who is the subject of the request exercising the right of access (and where different, the person making the request). Aside from the requirement to do so under the GDPR, there are considerable risks in providing the information required under Article 15 GDPR to the wrong person.

Individuals making a request do not have to justify their reasons for doing so. Going further, the courts in a number of jurisdictions (e.g. the UK) have made clear that even where individuals have an acknowledged alternative motive in making such a request, this will generally not defeat the underlying right of access. In other words, even if the individual has an ulterior, non-data protection-related reason for making the request, the employer must generally still comply with its obligations under Article 15 GDPR and provide the information required under that provision.  

The employer may provide the information required by Article 15(1) GDPR in writing, by electronic means or, at the request of the employee concerned, orally. Irrespective of the format in which the information is provided, the employer must provide the information required in a precise, transparent, comprehensible, easily accessible form and in clear and simple language.  

There are prescribed formalities with regard to the format in which information required under Article 15(3) GDPR must be provided. If the employee submits the request electronically, the provided data must be made available in a common electronic format (e.g. as a PDF file).

The employer must make the information required under an Article 15 request available to the employee "without delay", but at the latest within one month of receipt of the application. In certain circumstances, this period may be extended by a further two months; where the employer believes it will exercise this extension, it must communicate this to the employee. Example reasons for extending the period for reply would be that the request is complex, is likely to generate significant amounts of data as part of initial results or requires multiple searches across numerous systems.

4. Who bears any costs incurred?

The costs for making these copies are generally to be borne by the employer. That said, in exceptional cases (for example where the individual requests further copies of the same information or if the employee submits excessive or manifestly unfounded applications), the employer may ask the employee to pay an appropriate fee.

Guidance on fees in exceptional circumstances is as a general rule relatively limited across the EU member states. The general position is that the fee can only take into account directly attributable costs – in other words, administrative costs for the information, notification and/or implementation of the requested measure as well as material and postage costs or personnel or machine costs for the specific application process. General personnel and operating costs cannot be factored in to the fee.

As yet, anecdotal evidence suggests that employers have been reluctant to ask for a fee in practice in a good number of EU member states, for a variety of reasons (primarily the lack of clear guidance and the risk of provoking the individual to complain to the national supervisory authority or the risk of further sanction from the supervisory authority itself). 

5. What should I do to protect my business?

There are a number of steps that employers can and should take in preparation for dealing with such requests (both with a view to ensuring compliance with the GDPR and domestic legislation, and protecting its position and limiting its exposure to risk in relation to employee claims and negotiations with representative bodies). These include:

  • implementing appropriate procedures and policies governing the treatment of such request at all key stages, together with appropriate training, to facilitate the early identification and correct handling of a request;
  • documenting each Article 15 request carefully, including the searches carried out, the application of any exemptions and the communication with and responses to the individual, to evidence compliant conduct if required (bearing in mind that controllers must comply and be able to show that they have complied under the GDPR's guiding principles); and
  • ensuring strict adherence to retention and deletion protocols; and
  • ensuring that employee personal data can be easily identified and exported.

6. What consequences can I expect as an employer if I do not provide the requested information, do not provide it in due time or do not provide it to the required extent?

In the event an employer fails to provide the required information, or fails to do so in time, the individual who made the request can complain to the national supervisory authority. That authority may investigate the alleged breach; where it considers a breach occurred, the most likely first step would be to require the employer to provide the missing information. This in itself is a potential risk; it could place the employer of the radar of the national supervisory authority, and the nature of the matter complained of may open the company up to wider scrutiny.

Supervisory authorities have a range of significant powers to investigate, both in the event of a complaint and of their own accord. Such authorities also have key enforcement powers, asking questions, serving notices requiring the provision of information and impose fines and other sanctions. The potential financial consequences of a breach of Article 15 GDPR are significant; national authorities can impose in theory administrative fines of up to EUR 20 million or 4% of the total annual worldwide turnover of the previous financial year, whichever is larger. They can (theoretically) also impose a ban on processing activities or suspend data transfers, which may well have wider implications for an employer's business.

Individuals are not restricted to simply complaining to the appropriate national supervising authority; in most jurisdictions, if not all, they can also apply to the courts seeking a remedy in relation to an alleged breach. The nature of the claims available, and the way in which such claims should be structured, varies across the EU member states, but the underlying commonality is that in most cases, employees may be entitled to compensation in respect of a breach of obligations under Article 15 GDPR. As an overall comment, whilst there are certain trends discernible in the compensatory awards made to individuals affected by a breach, there are no clear limits - this depends on the factors considered, e.g. the nature / type and extent of the damage suffered as well as its type and extent.

  • In some countries, this is based on the damage caused to the individual, and/or the injury or harm suffered by the individual as a result of the breach. However, this is not always the case. In the UK, for example, claimants do not need to establish that they have suffered financial loss to bring a claim – evidencing emotional distress is sufficient, and the courts have made clear that the bar for evidencing emotional distress, and what constitutes emotional distress, is relatively low.
  • Equally, in some EU member states, compensation is calculated on a punitive basis with the intention of sanctioning the employer for the violation of the law committed (as well compensating the individual for any damage suffered).
  • In a number of EU countries (including, for example, Germany), the courts are required to take an approach to compensation that is favourable, if not generous, towards or in favor of employees when considering deterrence, punitive and purely compensatory factors.

As might be anticipated, the attitude of national supervisory authorities with regard to fines has so far been varied.

  • Both the French CNIL, which imposed a fine of EUR 50 million against Google, and the UK's Information Commissioner's Office, which announced it intended to impose fines of £183,390 million (equivalent to about US$ 230 million or EUR 204 million) and £99,200,396 (equivalent to about EUR 124 million) against British Airways and Marriott International respectively, have garnered widespread attention.  
  • Also German supervisory authorities have already imposed major GDPR fines.
    • The German authorities (“DSK”, joint coordination body of the German data protection authorities) have recently published their concept/model for calculating fines under the GDPR which has already been criticised since it includes the worldwide turnover as the main basis of the calculation which can result in heavy fines for large companies and groups of companies for even minor violations;
    • the Berlin data protection commissioner has also already imposed a fine of around EUR 14.5 million on a real estate company for not maintaining a proper deletion concept for customer data and the German Federal Commissioner for Data Protection and Freedom of Information, the competent DPA for all telecommunication service providers in Germany, imposed a fine on a telecommunications service provider amounting EUR 9,5 million (although, the decisions are not final yet and the companies can still lodge an appeal against the fine notice);
    • even before the GDPR came into effect fines of millions euros were imposed against German companies, inter alia, against a supermarket chain in the context of illegal monitoring of employees - under the GDPR and the new German calculation model the fines would have been even significant higher.

In essence, there is as yet no clear EU-wide approach, with regard to national supervisory authorities or national courts, in respect to infringements of Article 15 GDPR. The attitude of supervisory authorities, and the nature of any sanctions (including the level of any fines) imposed is by no means consistent and varies greatly across the EU. It remains to be seen to how these practices and approaches develop across the EU in the coming months and years.