We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
19 December 2018
The EU General Data Protection Regulation (GDPR) has had a wide-ranging impact. For most employers, the threat of high fines has been sufficient to encourage them to try and be GDPR compliant. Now, more than six months after the GDPR's introduction, the question has arisen as to whether employers' concerns in this regard were justified. Recent case law and an incremental penalty imposed by the Dutch Data Protection Authority (DDPA) show that employers should take the GDPR seriously when it comes to personnel files.
Under Article 15 of the GDPR, data subjects have the right to access their personal data. Further, Recital 63 of the GDPR stipulates that data subjects should be able to exercise this right easily and at reasonable intervals. The purpose of this right is to enable data subjects to be aware that their data is being processed and verify that such processing is lawful. This right also applies where the personal data of employees is processed by their employer.
Recent case law from the Midden-Nederland District Court and The Hague District Court has confirmed that, in principle, employees have the right to access their personnel files.(1) For privacy specialists, this should come as no surprise. While restrictions surrounding this right of access exist (eg, to protect the rights and freedoms of others), they generally cannot be invoked for the majority of personal data included in a personnel file.
In the matter before the Midden-Nederland District Court, the employer tried to prevent an employee from accessing their personnel file by claiming that they had already received the relevant information and were aware of the file's contents. However, the court ruled that an employee's knowledge that their personal data has been processed is no reason to refuse an access request. In addition, Article 15(3) of the GDPR allows data subjects to request further copies of their personal data, which implies that the right of access also exits if copies of the documents containing personal data have already been provided.
Refusing an access request has its risks. In August 2018 the DDPA advised that it had imposed a €48,000 incremental penalty on a Dutch bank for failing to comply with a client's right of access. This penalty was not imposed without warning. The DDPA gave the bank two months to comply with the client's request and imposed an incremental penalty of €12,000 for each week that the bank failed to do so. In the end, the bank was four weeks late in complying with the request, resulting in the final penalty of €48,000.
Notably, the bank in the above case tried to refuse the client's access request by pointing out that they wanted to use the information for further legal proceedings. According to the bank, this was not in line with the rationale of the right of access, (ie, to be aware of and to verify the lawfulness of data processing). Thus, the bank held that the request constituted a misuse of the law. However, the DDPA dismissed the bank's claim, stating that the fact that a data subject may use personal date for legal proceedings does not restrict their right of access thereto.
Although the access request and penalty in the DDPA case were based on the Dutch predecessor of the GDPR (the law implementing the EU Data Protection Directive (95/46/EC)) and the request concerned a client (and not an employee), the DDPA's actions are relevant for employers, as they show that it is not afraid to act when it comes to the right of access. A similar incremental penalty can be expected on the basis of the GDPR for non-compliance with an individual's right to access their personnel files.
The bank has appealed the DDPA's decision. This is positive for the development of the law, as only a few court rulings on the GDPR have been handed down to date.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.
Pascal Van Schaik