APD/GBA - 15/2021
|APD/GBA - 15/2021|
|Relevant Law:||Article 5(2) GDPR|
Article 15(1) GDPR
Article 15(2) GDPR
Article 15(3) GDPR
Article 24 GDPR
Article 32 GDPR
|National Case Number/Name:||15/2021|
|European Case Law Identifier:||n/a|
|Original Source:||APD (in FR)|
The Belgian DPA (APD/GBA) ordered an employer to delete the HR evaluation data on its employees. The decision comes after a complaint filed by an employee concerning an access request on his emails, IT logs and other films processed by the employer.
English Summary[edit | edit source]
Facts[edit | edit source]
The ex employee asked a copy of all the data processed on him: emails, images and videos, IT logs, and HR evaluation. The employer refused to grant access to part of it.
An (ex)-employee of an IT company sought to exercise his right of access and, to that end, sent a request to his former employer. Even though the employer replies to and partly complies with the request, not all of the requested information is delivered to the employee.
More specifically, the employer refused to provide a copy of the employee's personal file (including certain comments and remarks that were included in said file), as well as a copy of the IT-logs relevant to the employee.
Dispute[edit | edit source]
Can the employer refuse to give access to an employee's personal file on the ground that rights of others, more specifically the authors of comments and remarks in said file, would be compromised?
Can the employer refuse to provide a copy of IT logs based on the disproportionate amount of time and resources it would take to comply with such a request, based on the sheer quantity of logs and information that need to be checked to that end?
Can the employer refuse to provide a copy of emails based on the protection of trade secrets?
Holding[edit | edit source]
The Belgian DPA found that the employer violated articles 15.1 and 15.3 GDPR by denying the employee his right of access with regards to his personal file. The DPA ordered the Employer to rectify this violation by complying with the access request.
The Belgian DPA hold that in this case, giving access to the IT logs would be a disproportionate burden for the employer, thus justifying the employer's refusal to grant access.
The Belgian DPA considered that copy to the email cannot be refused on the basis that the employee could access the emails. However, the refusal can potentially be based on trade secret. To this end, the employer needs to prove the potential risk to trade secret that providing said emails might entail. The evaluation of this risk needs to be evaluated on a case-by-case basis.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.