Long perceived as a technical rule intended for web giants, the General Data Protection Regulation (GDPR) has forcefully entered offices and open spaces. Today, the question is no longer whether an employer can monitor its employees, but how far an employee can dig into their company’s archives to retrieve their own data.
A fundamental right, even in the office
The principle is clear, but its implications are vast: everyone has the right to know if an organization holds data about them, to verify its accuracy and to obtain a copy of it in an understandable format.
In the world of work, this right does not stop at the door of the company. An employee or former employee can legitimately ask their employer for access to personal data contained in their work tools, and in particular in their professional email.
The objective? Allow the employee to maintain control. Are my reviews accurate? What information is circulating about me in management’s email loops? The right of access is the tool that transforms the employee from a simple “object” of data processing into an active “subject”.
The crucial distinction: Data is not Document
This is where the problem often arises during discussions between HR and employees. The right of access relates to personal data, not necessarily to the physical or digital document.
However, European case law (in particular the CJEU judgment of May 4, 2023) has provided a major clarification: if the communication of a full copy of an email is essential for the employee to understand the processing of their data, the employer must provide it. Clearly, extracting a simple line of text from a complex email is not always enough. The employer must provide a “faithful and intelligible reproduction”.
Did you know? For an email, the right of access includes “metadata”: the timestamp, recipients and subject of the message.
The employer’s puzzle: The rights of third parties
Although the right of access is powerful, it is not absolute. Its main limit? The rights of others. A professional mailbox is a crossroads of information where business secrets, colleagues’ private lives and intellectual property intertwine.
The employer must therefore play a balancing act. To simplify this often titanic sorting, the CNIL suggests distinguishing between two scenarios:
1. The employee is the sender or recipient
This is the simplest case. The employee has already been aware of the content. Here, confidentiality vis-à-vis the employee is almost zero. The communication is presumed legitimate. However, a good practice is to anonymize the names of third parties mentioned as a precaution, without this being a strict obligation if the employee already knew these contacts.
2. The employee is simply cited in the content
This is where the legal danger lurks. If two managers discuss the performance of a subordinate, the latter has the right to access comments concerning him, but not necessarily comments concerning other colleagues or strategic information of the company. The employer must then obscure sensitive passages or data relating to third parties.
Personal Emails: The Inviolable Sanctuary
There is an “off the radar” zone for the employer: messages identified as “personal” or whose content is clearly private. Under the confidentiality of correspondence, the employer does not have the right to open these messages, even to check whether they contain data to be transmitted.
If an employee requests access to his personal emails, the employer must give them to him “as is”, without even being able to censor them. To break this seal, the employer has only one option: go to court if he suspects fraud or theft of confidential documents.
Faced with “Big Data” in messaging: The CNIL method
Some requests concern thousands of messages accumulated over ten years of career. To avoid the paralysis of HR services, the CNIL offers a pragmatic approach in three steps:
- The summary table: The employer first provides a list (senders, dates, subjects).
- The dialogue: The employer informs the employee that total extraction represents a disproportionate burden and invites him to specify his request (target period, key words).
- Targeted communication: Once the perimeter is reduced, the data is transmitted.
Attention : An employer cannot deny a request solely because a lawsuit is pending. The GDPR right of access exists independently of the Labor Code or civil procedure.
Towards peaceful transparency?
The right of access to emails is not a weapon of war, but an instrument of transparency. For businesses, the message is clear: data management cannot be improvised. Setting limited retention periods and making executives aware of the drafting of their professional writings has become a necessity. Because today, every written email can, one day, come back before the eyes of its subject.
