It is not uncommon for employers to receive access requests under data protection law from their former employees. Employees use this instrument to exercise their personal rights, particularly in the context of unfair dismissal proceedings or in preparation for them. However, they can also gain strategic advantages for a possible settlement.
For employers, dealing with such requests can be challenging in individual cases. However, providing a precise and legally compliant response to these requests is crucial to avoid fines and claims for damages and to ensure that the employer does not expose itself to attack in an employment dispute. But how much information is required? What legal and practical steps are required to meet the demands? And how can a solid answer be formulated that does not leave any room for attack but still meets all legal requirements in terms of content?
This article highlights what information needs to be provided, to what extent there is a duty to provide information, and what practical aspects should be considered.
Which requests must be answered?
Requests for information are not subject to any specific formal requirements. Employees are free to decide how to submit their request. Employers are not allowed to charge a fee for processing the request or demand a justification.
After receiving the request, the employer is obliged to verify the identity of the applicant to ensure that personal data is not disclosed to unauthorized third parties.
In this context, telephone requests are not unproblematic, as the identity of the person making the request cannot be established beyond doubt in every case. Only if the telephone number can be clearly assigned to the former employee may a telephone request be answered. Otherwise, suitable proof of identity is required, e.g. by making inquiries using the contact details known to the employer. If a request is received by email, the employer should also reply by email if the email address is known and can be clearly assigned to the data subject.
The employer has no legal claim to a specific method of transmission of the data subject request. As far as it is practically possible for him to identify the employee, this must be answered.
If a lawyer requests information on behalf of an employee, an original power of attorney is usually required. According to case law [1], the period for providing information only begins with the submission of such a document. In addition, the power of attorney must explicitly include the data subject's rights under data protection law. A power of attorney that only relates to employment law matters is not sufficient, as it does not necessarily include data protection requests.
If the required proof of identity or power of attorney is missing, the employer should confirm receipt of the request and ask for the relevant documents to be submitted instead of ignoring the request.
What is the deadline for releasing the data?
According to Art. 12 para. 3 GDPR, the requested information must be provided immediately, but no later than one month after receipt of the request. Employers should not exceed the one-month deadline without good reason, as this may be considered culpable delay by the courts. As a rule, a response within seven days should still be considered prompt, although reasons should be given individually if a deadline of nine days is exceeded. [2]
If the employer has a clear process for responding to data subject requests and carefully maintained and complete records of processing activities (ROPA), the deadlines can usually be met well.
The absence of these structures does not constitute an argument for extending the deadline, since companies are generally obliged to have them in place. The data protection officer (DPO), if any, should also be involved in this.
In exceptional cases, the deadline may be extended by up to two months in accordance with Art. 12 para. 3 sentence 2 GDPR, for example in the case of very extensive or complex requests. However, absence due to illness or vacation of the responsible staff does not justify an extension of the deadline.
If complete processing is not possible within the deadline, the person concerned must be informed in good time. They should then be given partial information if possible. It must be made clear that this is a provisional response, and that further information will be provided subsequently.
If the employer does not comply with a request for information, it is obliged under Art. 12 para. 4 GDPR to inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for the delay and of the right to lodge a complaint with a supervisory authority or to seek a judicial remedy.
What information must be provided?
Article 15 GDPR grants data subjects a right to information about the processing of their personal data, including:
- The purposes of the processing
- The categories of personal data concerned
- The recipients or categories of recipient to whom the personal data have been or will be disclosed
- The planned storage period or the criteria used to determine that period
- Data transfers to third countries and the guarantees in place for them
- The Source of the data if it was not collected from the data subject
- Automated decision-making, including profiling
- The right to lodge a complaint with a supervisory authority
- The right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
Furthermore, data subjects have the right to a copy of the processed data. This includes not only master data such as name, address, date of birth and bank details or account data of company software used, but also, for example, vacation requests, days of absence, duty rosters, pay slips and other information from which conclusions can be drawn about the data subject. In addition, the claim also covers information from internal communication, insofar as this contains personal data of the data subject.
Business secrets or personal data of third parties may only be disclosed if this is legally permissible. Otherwise, the relevant passages must be redacted, whereby the informative value of the data must be retained. If such redaction is not possible, it must be weighed up whether the legitimate interests of the third party or those of the claimant prevail. If information is redacted, this must be explained to the data subject when the information is provided.
In what form must the information be provided and where can the required information be found?
The GDPR does not prescribe a specific form for the provision of information. It can be provided in writing, electronically or, in exceptional cases, verbally (Art. 12 GDPR). If the request was made electronically (e.g. by email), a response must be provided in the same way if possible. The information must be formulated in a precise, transparent and comprehensible manner.
An up-to-date and complete ROPA makes it possible to extract the information required to answer the request in a structured manner. In the case of extensive processing activities, a tabular presentation is recommended, supplemented by a letter and, if necessary, annexes. The letter then contains all information that is not suitable for a tabular presentation or that supplements it. For example, excerpts from software tools containing relevant data can be included as attachments.
If a ROPA is not yet in place, the first step is to determine where in the company the former employee's data is processed. It is advisable to involve all relevant departments, in particular the HR department and direct superiors. The aim should be to answer the request as comprehensively and completely as possible.
Are copies of the data to be provided?
Pursuant to Art. 15 para. 3 GDPR, data subjects have the right to receive a copy of their personal data that is the subject of processing. The costs for this are borne by the employer. If the employee requests several copies of the same data record, the employer may charge a reasonable fee for each additional copy. The right to a copy corresponds to the right to information in accordance with Art. 15 para. 1 GDPR; therefore, only copies of the data for which a right to information exists can be requested.
Whether a copy is to be provided depends on the specific request for information. Under no circumstances are copies of all processed data to be provided with every request. Rather, it depends on whether the data subject actually requests a copy, which must be determined by interpreting the request and, if necessary, by asking the data subject. However, even if no copy is requested, the request can be answered in the form of a copy, provided that the copy contains the required data.
The Federal Court of Justice (BGH) has ruled that the provision of copies of document extracts, complete documents or parts of databases may be necessary if this is necessary for the understanding of the personal data. If an entire document contains personal data (e.g. an employee's email), a complete copy must generally be provided. On the other hand, letters, emails or notes from the employer are not automatically classified in their entirety as personal data of the data subject, even if they contain such information. It must be carefully checked whether a copy is necessary for complete information. [3]
In a further ruling, the Federal Labor Court (BAG) clarified that individuals are not automatically entitled to copies of all emails containing their personal data. Instead, they must specify their request for information and explain what specific information they require. [4]
It is important not to overwhelm the employee with a flood of copies in order to protect the rights of third parties and to keep the information transparent and comprehensible. It therefore makes sense to take a staged approach, in which initial information is provided in relation to data categories, and detailed information can then be provided in response to further requests.
Can access be refused?
In principle, a justified access request must not be refused. However, there are restrictions in terms of content, particularly with regard to personal data of third parties and business and business secrets. In such cases, the information concerned must – where possible – be made unrecognizable.
If the employer no longer processes the employee's personal data or if it has already been completely anonymized, a so-called negative disclosure must be issued informing the data subject of this.
In case the identity of the applicant cannot be clearly established, the information may not be provided for the time being. In this case, the employer should ask the person concerned to provide suitable identification documents.
Even if, in the opinion of the employer, the data subject already has the data in question, information must nevertheless be provided. If information has already been provided about certain data, this information must also be provided in the event of a new request. However, a reasonable fee may then be charged for further copies in accordance with Art. 15 para. 3 sentence 2 GDPR.
Repeated requests are not permitted indefinitely. According to Art. 12 para. 5 sentence 2 GDPR, the controller may either demand a reasonable fee or even refuse to provide information in the case of manifestly unfounded or excessive requests – especially in the case of frequent repetition. High standards must be applied to the criterion of "frequent repetition". In the event of a refusal, the data subject must be informed of the reasons for the refusal and of the possibility of lodging a complaint or appeal in accordance with Art. 12 para. 4 GDPR.
Practical tips
- Introduce structured processes: Responsibilities for processing inquiries should be clearly defined.
- Keep an eye on deadlines: Inquiries must be answered in good time in order to avoid fines or claims for damages.
- Involve data protection officers: Internal or external data protection officers can ensure that requests are processed in a legally compliant manner.
- Keep a register of processing activities: A well-maintained register makes it much easier to process requests for information.
With a well-thought-out approach, inquiries from affected parties can be processed efficiently and with legal certainty and risks in labor court disputes can be minimized.
Sources
[1]: AG Berlin-Mitte, judgement of 29.07.2019 (Az. 7 C 185/18); OLG Stuttgart, judgement of 31.03.2021 (Az. 9 U 34/21).
[2]: Vgl. EuGH, judgement of 14.6.2016 (C-263/14); vgl. ArbG Duisburg, judgement of 23.3.2023 (Az. 3 Ca 44/23); vgl. BAG, judgement of 27.2.2020 (2 AZR 390/19); Brandt/Goffart, NZA 2024, 240 (241).
[3]: BGH, judgement of 05.05.2024 (VI ZR 330/21).
[4]: BAG, judgement of 27.04.2021 (2 AZR 342/20).
Simpliant Template - Cover letter for a request for information
This template and its attachment are intended to provide the former employee with the information required to fulfill the data access request. The download is only available in German.
Simpliant Template - Attachment: Overview of data processing in accordance with Article 15 GDPR
This attachment is intended to provide an overview of processing activities in a clear and concise table. The download is only available in German.