The National Commission for Computing and Liberties has just decided, by clarifying a gray area of wage freedom on the Internet.
It was in a note published on its official website on January 5 that the CNIL took the decision to clarify one of the points of the Data Protection Act of 1978. Since the entry into force of the General Regulations on the Protection of data (RGPD) in May 2018, it must be said that cases of disputes concerning the rights of employees on the Internet have increased considerably. A finding that is found in particular in industrial tribunal cases, during which some plaintiffs claim from their former employer access to all the information concerning them, including the most confidential.
An overexploited gray area
Until now, the right of access provided for by the GDPR thus allowed employees to request before the Labor Court, all the documents on which they appeared. A request that could go so far as to concern internal emails mentioning the name of the complainant, even though he was neither the recipient nor the sender of these. A diversion of the law which came up against the limit of the secrecy of correspondence, and on which the CNIL had always been discreet, refusing until then to adjust or specify the framework of the right of access.
In May 2019 in particular, the French IT regulator had drawn up a sheet explaining: “the employee can obtain access to and communication of all the data concerning him, whether they are kept on computer or paper. He thus has the right to access data relating to his recruitment, his career history, the evaluation of his professional skills (annual evaluation interviews, rating), his training requests and any evaluations thereof, his disciplinary file, (…) his data from a geolocation device, any element used to make a decision regarding him”. A text that can easily be extrapolated.
The CNIL specifies
Faced with this legal vagueness, the CNIL therefore wanted to clarify a few points of the text in question. In addition to being free and compulsory, the right of access exercised by an employee (or former employee) thus only covers “on personal data and not on documents”, specifies the French gendarme. What’s more, “the exercise of the right of access must not infringe the rights of third parties”. the secrecy of business and correspondence, or the right to privacy, are therefore all obstacles that can restrict the right of access. An employer will now be able to rely on these factors to legitimately refuse to provide confidential or internal documents concerning an employee.
In concrete terms, the CNIL thus distinguishes between two cases: if the applicant is the sender or the recipient of an email, and that he is already supposed to have had knowledge of the document referred to, the company will thus be required to respond favorably to the request. However, it may choose to anonymize certain data. If, on the other hand, the applicant is simply mentioned in the email referred to, the employer may first ensure that the document “does not result in a disproportionate violation of the rights of all employees of the organization”. He will then make a decision after examining the content of the email, ensuring that the latter does not infringe the rights or the disclosure of the identity of an employee of the company. The case of personal mail remains a special case, since the employer is, theoretically, not in a position to access it.