🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Find out everything about the right of access in the GDPR

Home GDPR Find out everything about the right of access in the GDPR

Today we are launching a new series of articles dedicated to people's rights. These articles follow our episodes d’1 min to understand everything that you will find on our LinkedIn page. 1 min to understand everything is a short video in which our lawyers who are experts in personal data protection simply define the key concepts of the General Regulation on the Protection of Personal Data (GDPR) and give you concrete examples. Follow us so you don't miss any news!

The GDPR strengthens the rights of individuals to ensure they have better control over their personal data. The text aims to allow the people concerned (consumers, prospects, customers, employees, partners, etc.) to have a certain visibility on the use made of their personal data. Our articles allow us to return to the various rights recognized by the Data Protection Act and the GDPR, starting with the right of access.

Sit comfortably with your coffee, we'll explain everything to you in 5 minutes! ☕️

What are people's rights?

Individual rights are mentioned in Chapter 3 of the GDPR. Not all rights are systematically applicable to all processing, their application depends in particular on the legal basis of the processing.

In our upcoming articles we will explain the following rights to you:?

  • Right of access,
  • Right of rectification,
  • Right to object (and right to withdraw consent),
  • Right to erasure,
  • Right to portability.

Understand everything about the right of access?

The right of access is provided for by Article 15 of the GDPR. Exercising the right of access allows the data subject to know whether data concerning them are or are not processed by a data controller. When they are, the person can request a copy in a readable format and/or obtain the following information:?

  • The purposes of the processing;
  • The categories of data collected;
  • The recipients or categories of recipients to whom the data are or will be communicated, in particular recipients established outside the EU or international organizations;
  • Where possible, the envisaged retention period of personal data or, where this is not possible, the criteria used to determine this period;
  • The existence of the right to request from the controller the rectification or erasure of personal data, or a restriction of the processing of personal data relating to the data subject, or the right to object to such processing;
  • The right to lodge a complaint with a supervisory authority;
  • Where personal data is not collected from the data subject, any information available as to its source;
  • The existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information regarding the underlying logic, as well as the importance and intended consequences of this processing for the data subject.

On the other hand, when data is transferred outside the EU, the data controller must be able to communicate to the data subject the appropriate safeguards put in place to ensure the transfer.

The limits of the right of access?

1st limit : The exercise of this right must not infringe the rights and freedoms of third parties, in particular intellectual property rights, business secrets, etc. ?

We offered you a survey on this theme on April 26 on our LinkedIn page: Should the employer send all professional emails from a former employee who requests access rights? "

Well done! Out of 167 voters, 69% of you voted "No? " and 31% voted "Yes ✅".

This situation must be assessed on a case-by-case basis and the answer needs to be qualified! In principle, the employee can make a request for a right of access to his former employer. But you have to make sure:

  • On the one hand, that the request is well-founded and is not excessive;
  • On the other hand, that the request does not conflict with respect for the rights and freedoms of third parties.

The access request may concern either all of the data held by the data controller, or be more targeted. In our example, the request only concerns professional emails. In this case, we exclude personal emails sent via professional messaging (which are subject to specific regulations regarding labor law and rules relating to the secrecy of correspondence). They are identifiable by the words "private" or "personal" or by their obviously private content. In this case, the employer must transmit the emails as is to the requester, when the latter is the sender or recipient.

Regarding professional emails, they may contain confidential information concerning the company (commercial relations, economic information, know-how, etc.). The law of July 30, 2018, relating to the protection of business secrets, defines information protected under business secrets as: any information having commercial value, having a secret character, having an actual or potential value, and subject, on the part of its legitimate holder, to reasonable protection measures to preserve its non-public character. "

In this case, the person's request may likely conflict with business secrets, intellectual property rights or even the rights of third parties. The former employer must then sort the communicable emails from those that are not. The CNIL suggests making a distinction between:

  • Emails in which the former employee is the sender or recipient and,
  • Emails in which the person is mentioned in the content

Hypothesis 1. Is the person concerned the sender/recipient of the emails?

In principle, she has already been aware of the emails in question. Access to these emails is then presumed to respect the rights of third parties. The data contained in emails can be anonymized or pseudonymized before communication.

But, in certain cases, the content of emails may constitute a risk for the rights of third parties even if the requester is already aware of it. The employer must then delete, anonymize or

pseudonymize information that may pose a problem to grant the request. If these measures are not sufficient, the employer may refuse to grant the former employee's request by giving reasons and justifying his response.

Hypothesis 2. Is the person concerned mentioned in the content of the emails?‍?

The employer must grant the request of the former employee but without infringing the rights and freedoms of third parties, in particular other employees who enjoy the right to secrecy of correspondence. He must then assess whether the means to be deployed to grant the request are not too intrusive. The employer can then ask the person concerned to specify their request.

If the request is precise or has been refined by the former employee, the data controller must study the content of the emails. It then balances the interest of the applicant and the rights of third parties. In the event that the communication of the content of emails disproportionately infringes the rights of third parties, the employer may refuse to grant the request by justifying its decision. Otherwise, it transmits emails using anonymization, pseudonymization or content deletion measures if necessary.

CNIL diagram – Right of access to professional emails: https://www.cnil.fr/sites/default/files/atoms/files/droit_dacces_aux_courriels_professionnels_0.pdf

2nd limitation: The data contained in certain sensitive files is not accessible to individuals. ?

The data contained in certain files cannot be communicated to individuals, even if the request comes from the person concerned. The law prohibits access to sensitive files, such as certain police files or files that affect state security.

However, there is a way to access it indirectly through the CNIL. This right of access is called the right of indirect access. The person sends their request to the CNIL which checks, on their behalf, whether the file contains information about the person

Data Comply One (formerly Mission RGPD) versus the right of access

You do not have time? You are lost? Is managing your compliance and more specifically people's rights complex?

✅ With Data Comply One (formerly Mission RGPD) don't panic, in addition to a specific module dedicated to requests to exercise rights, you will find ready-to-use response models on the platform.

Manage your compliance with ease and peace of mind!

Request a demo
Other articles
on the same subject