French labor law: Employees (salaries), executives (cadres), senior executives (cadres dirigeants) - General Data Protection Regulation GDPR (RGPD): how to assert your right of access to your personal data? by CHHUM AVOCATS (Paris, Nantes)

Article 15 of the General Data Protection Regulation (GDPR) provides the right for employees to obtain a copy of its personal data being processed. [1]

Article 70-19 of law n°2018-493 of June 20th, 2018 reiterates this provision by stating that "the data concerned has the right to obtain from the data controller the confirmation that personal data concerning him/her are or are not processed and, when they are, the right to access to said data.” [2]

As a result, employees (salaries) can exercise their right of access to obtain many documents.

But what about the effectiveness of this right?

What arguments can the employer put against them?

And how to get around them?

We propose also draft letter to ask your personal data.

1) Right of access to personal data for employees (art 15 GDPR and article 70-19 of the law of 20th June 2018). Etendue du droit d’accès aux données personnelles pour les salariés (art 15 RGPD et article 70-19 de la loi du 20 juin 2018).

Article 4 of the GDPR defines "personal data" as any information relating to an identified or identifiable person. [3]

According to Article 4 of the GDPR, is deemed to be an identifiable natural person, any person who can be identified:


- Last name First Name,

- Picture,

- Video


-ID number,

-location data,

-login data from his workstation (as long as they identify the employee, for example, connections to a registered business mailbox)

As a result, an employee or former employee can obtain, under Article 15 of the GDPR, a right of access to all data concerning him/her, regardless of the medium of conservation (digital or paper).

Thus, an employee has the right to access data relating to:

- its recruitment;

- its career history;

- its remuneration;

- its assessment of professional skills (annual assessment interviews, grading);

- its disciplinary record.

Any element used to make a decision about it (example: a promotion, an increase, a change of assignment, a sanction). [4]

2) Bypass the limitations on the right of access to your personal data that the employer may object to you

The employee may be confronted with a number of limits by its employer to refuse the transmission of the requested documents.

2.1) The right of access cannot infringe the rights of third parties (art. 15 § 4GDPR)

The employer may legitimately refuse to transmit a document containing the personal data of several persons.

Article 15 § (4) of the GDPR expressly provides that "the right to obtain a copy [...] shall not affect the rights and freedom of others". [1]


1) The employer may, for example, refuse to send an e-mail, or a correspondence involving one of the employee's colleagues.

Advice for obtaining your documents: ask your employer to delete the names and surnames of the persons in copy or signatory, thus anonymized, it will not be any more an attack on their personal data.

2) He may refuse to transmit a video in which an employee appears surrounded by third parties.

Advice for obtaining your documents: ask your employer to make a blurring of the faces of other people concerned to keep in clear only your face.

Moreover, the right of access could not undermine the secrecy of correspondence guaranteed by Articles 11 of the Declaration of the Rights of Man and of the Citizen of 1789 and 8 of the European Convention for the Protection of Human Rights and fundamental freedoms.

The secrecy of correspondence is a fundamental freedom recognized for all citizens.

Therefore, an employee cannot, in principle, require obtaining emails between the employer and the HR department concerning him.

Indeed, their opinion on the employee is protected under the secrecy of correspondence.

2.2) The right of access cannot undermine the secrecy of business (Recital No 63 GDPR) - Le droit d’accès ne peut porter atteinte au secret des affaires (considérant n°63 RGPD)

The employer may also object to employees:

- Confidentiality of the data, often the subject of a clause in the employee's contract of employment.

- Business secrecy, express limit provided by the GDPR.

Indeed, recital 63 of the GDPR states that the right of access "should not affect the rights or freedoms of others, including business secrets or intellectual property rights, including copyright protection. The software. However, these considerations should not result in denying any information to the data subject. »[5]

As a result, employees are advised to specify, as much as possible, their requests for access rights, and to clearly define the documents they wish to access.


2) Make your right of access to your personal data effective


3.1) Advice to employees to assert your right of access to your personal data

Several tips:

1) Above all, avoid that your request for access rights can be qualified as abusive.

- Example: do not ask for a copy of all of your personal data for your entire career.

2) Circumstances your request for the right of access, the principle of utility and proportionality is apparent from recital 63 of the GDPR

- It is necessary to be precise in the requested documents;

- A request for a right of access is not required, however, it is recommended to justify the request to obtain the data more easily.

The employer must respond as quickly as possible to a request for a right of access and within a maximum period of one month (Article 12.3 GDPR). [6]

An extension of two months is possible, "given the complexity and the number of requests", provided that the person concerned is informed within one month of receipt of the request (Article 12.3 GDPR).

In case of refusal, or in the absence of response from the employer, it is possible to send a complaint to the National Commission for Data Protection (CNIL) with the evidence of the previous steps.

The penalties are heavier for employers today, they can go up to 4% of the global turnover of a company, which should push the companies to make effective the right of access to the personal data of the employees (art 83GDPR).

For example, on January 21th, 2019, the CNIL sentenced Google to a fine of 50 million euros, the highest fine ever pronounced.

So far, his record was 400,000 euros, a penalty imposed on the application of VTC Uber.

3.2) Employees - Letter Template Right of access to your personal data (GDPR)

You will find below 2 drafts of letters in order to assert your right of access.

Example 1

Re: Right of access to personal data


In order to prepare for my annual follow-up maintenance of days package (forfait jours), I would like under the right of access to my personal data (art 15GDPR), obtain a copy, in plain language, in a comprehensible format of the whole of my login data to my workstation for the years 2018-2019.

Thank you for sending me your reply as soon as possible and at the latest within one month from the receipt of my request (article 12.3 of the GDPR).

Best regards.                                                                                                                                                       © COPYRIGHT @chhumavocats

Example 2

Subject: Right of access to personal data


Following my dismissal, and under Article 15 of the General Data Protection Regulation (GDPR), I would like under the right of access to my personal data, obtain a copy, in plain language, in a format understandable, the following documents:


My disciplinary record for the last 3 years (2019-2017);

The contentious video surveillance of 27th January 2019.

[Precisely list the desired data]

Thank you for sending me your reply as soon as possible and at the latest within one month from the receipt of my request

(article 12.3 of the GDPR).

Best regards.

                                                                                                                                                                                                              COPYRIGHT @chhumavocats


NB: If you send your application electronically, the information will be provided to you in the same way, unless you request it to be otherwise

 [1]  https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre3#Article15

[2] https://www.legifrance.gouv.fr/affichTexteArticle.do;jsessionid=8A21186ACB7E7C2FA3E0EA6CD963E060.tplgfr32s_2?idArticle=JORFARTI000037085968&cidTexte=JORFTEXT000037085952&dateTexte=29990101&categorieLien=id

[3] https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre1#Article4

[4] https://www.cnil.fr/fr/lacces-son-dossier-professionnel

[5] https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679

[6] https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre3#Article12


Frédéric CHHUM, Avocats à la Cour (Paris et Nantes)

Membre du Conseil de l’ordre des avocats de Paris

.Paris : 4 rue Bayard 75008 Paris - Tel: 01 42 56 03 00 ou 01 42 89 24 48
.Nantes : 41, Quai de la Fosse 44000 Nantes -  Tel: 02 28 44 26 44

E-mail : chhum@chhum-avocats.com

Blog: www.chhum-avocats.fr


Ajouter un commentaire