France: When Personal Data Requests Divert from Their Intended Purpose, Can Employers Push Back?

December 10, 2018

In accordance with the General Data Protection Regulation and the French revised law of 6 January 1978 (Loi Informatique et Libertés), any person whose personal data is being processed has a right of access which allows the person to examine and obtain a copy of his/her data. However, when an employee uses this right, for a current or future litigation, to obtain evidence to which he/she would not normally have access, what rights do employers have to refuse or limit such a request?

Any person may exercise the right of access to his or her personal data by contacting the relevant data controller.[1] The new legislative and regulatory framework for data protection, which governs this right, has been the subject of significant media coverage. As a result, few employees and their advisers have tried to take advantage of the opportunities it may offer. Several have thus been tempted, for the purpose of a current or future labor litigation, to misuse this right to obtain evidence to which they would not normally have access.

This raises the question: May employers oppose the employee’s use of the right of access, and to what extent?

Opposition to the Exercise of the Right of Access Diverted from Its Purpose

In light of current law, where a request is manifestly unreasonable, the data controller may either require the payment of reasonable costs or refuse to comply with such a request.[2] Proof of the manifestly abusive nature of a request shall be borne by the data controller. If necessary, the employer may legitimately oppose an employee's request for access but must ensure that such refusal is justified and documented. Thus, the French data protection authority Commission Nationale de l'Informatique et des Libertés (CNIL) acknowledges that multiple and closely-spaced-in-time requests for data already provided could be qualified as "manifestly excessive".

But the applicable texts could be interpreted more boldly. Indeed, the General Data Protection Regulation (GDPR) expressly states that the right of access is intended to verify the lawfulness of personal data processing. The purpose of the right of access is clearly not to enable an employee to obtain evidence to which he or she would not normally have had access. The employee should, in principle, use common law remedies such as probationary summary proceedings, which involve judicial review.

Therefore, it may be possible to refuse an employee access (for example, by indicating that a request is a manifestly abusive) on the grounds that the requesting individual is diverting the right of access from its purpose. In practice, abuse will be much easier to prove if the requesting employee did not justify the request (although not obliged to do so) and filed his or her labor legal action very shortly after the request for access.

In such circumstances, saving time can be decisive.

Opposition to the Disclosure of Certain Documents or Data

An employer wishing to oppose or limit an employee's request for personal data may consider employing the following actions, as explained in more detail below:

  • Ask the employee to specify the request 
  • Remove information infringing the rights and freedoms of third parties 
  • Apply a strict interpretation of the regulations to refuse to provide the employee's business emails

Ask the employee to specify the request

The GDPR indicates that the data controller, when processing a large amount of data relating to the person concerned, may ask the person exercising the right of access to specify to which data or processing operations the request relates. As such, if an employee asks an employer to give access to or provide a copy of all the personal data that concerns the employee, and provides no further clarification, the employer may consider asking the individual to specify the request.

This saves time, reduces the number of documents to be provided to the employee (assuming the employee does specify the request), and the potential refusal of the employee to specify the request and/or the scope of the request may document a subsequent refusal to provide the documents due to a manifestly abusive request.

Remove information infringing the rights and freedoms of third parties

The GDPR specifies that the exercise of the right of access must not infringe the rights and freedoms of others, including with respect to business confidentiality or intellectual property. However, it is possible that an employee's exercise of the right of access could infringe the rights and freedoms of the employer and third parties in many respects.

One area that may be infringed is business secrecy. The definition of business secrecy given by French law is relatively restrictive. Such information must meet three cumulative conditions—it must be secret, have commercial value because of its secret nature, and be subject to reasonable protective measures to preserve its secret nature.[3] Business secrecy may be a useful shield to avoid providing documents and information that meet its criteria against broad requests for email disclosure from former employees.

In addition, it could be argued that a request by an employee for disclosure of any email containing personal data, without any particular restriction or justification, may violate the confidentiality obligations to which the individual is subject toward third parties, to the company, or to which the company itself is subject toward third parties.

In addition, in the name of the right to privacy, it seems necessary to only provide to the employee his or her own personal data and not data concerning third parties (for example, the names of other persons or information relating to their personal situation).

The disclosure of a document that has been largely redacted in the name of the above principles may lose all meaning, which in itself could possibly justify a refusal to disclose.

Apply a strict interpretation of the regulations to provide personal data, not documents containing it

Finally, the right of access allows—both according to the GDPR and the revised French data protection law—that individuals can obtain "a copy of the personal data being processed".[4] A restrictive interpretation of this language could lead to the conclusion that only information being actual personal data (i.e., name, surname, home address, email address, phone number, etc.) should be provided, and not all documents containing such personal data. Following this strict interpretation, an employee's request to obtain a copy of any email containing his or her personal data could be considered manifestly unfounded as the thousands emails received and sent by an employee all contain, at least, his/her name and surname. Providing all emails received by and sent to an employee may constitute an enormous volume of documents which may contain personal data of third parties, and/or information protected by business secrecy, and/or information regarding the particular interests of the company employing the employee making the request. Such a position would make it possible to avoid “fishing expeditions,” i.e., the abuse of the exercise of the right of access in the context of a non-specific search for information for the purpose of a possible litigation.

However, such a strict interpretation of the texts could deprive the employee of the means to exercise effective control over the use made of his or her personal data and deprive the right of access to its substance. Courts or the CNIL will therefore likely be tempted to adopt an extensive interpretation of the regulations—despite their letter, and in the name of the protection of freedoms and personal data—that will allow the employee access to all of a company's documents containing his or her personal data. However, the practical constraints and imperatives of the business world require that everyone's interests be balanced.


If you have any questions or would like more information on the points raised in this LawFlash, please contact one of Morgan Lewis' lawyers:

Charles Dauthier
Laetitia De Pelet

[1] Article 15 of the European Regulation 2016/619 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Articles 39 and 40-1 to 43 of the French informatique et libertés law n°78-17 of 6 January 1978.

[2] Article 12 of GDPR and Article 39. II. of the French informatique et libertés law.

[3] Article L. 151-1 of the French Commercial Code created by French law n° 2018-670 of 30 July 2018.

[4] Article 15.3 of GDPR and Article 39.I of French informatique et libertés law n° 78-17 of 6 January 1978.