Flag of Germany

Employees may have a claim against their employers for access to information about all personal data processed by the employers pursuant to Article 15 (3), Sentence 1, of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)). Under the GDPR, employees have a right to access, among other things, information about the purposes of personal data processing, the recipients of the data processed, and the storage period relevant to the data. In accordance with the GDPR, an employer must also provide employees with copies of the data that the employer processed.

Until recently, the scope of the GDPR’s right to information and the right to receive data copies had not been clarified by German case law. In particular, the scope of data copy requests had caused major problems in practice, especially in the context of employment relationships. Almost all documents created, processed, and stored in the context of an employment relationship contain personal data. Documents containing personal data include, for example, emails sent and received by employees. Are employees therefore entitled to a (complete) copy of all emails sent and received? What if the emails contain the personal data of third parties—how does that affect the analysis? Germany’s highest labor court had not previously defined the scope of such claims.

The scope of the right to information and access to copies of email correspondence was brought before the Federal Labor Court and one of its panels, the Second Senate, which handed down a significant decision on the issue on April 27, 2021.

Background

The case involved an employee who had been dismissed by his employer during his probationary period and taken legal action against his former employer to contest the dismissal. As a former data protection officer, the employee had enjoyed special protection against dismissal, comparable to the protection against dismissal enjoyed by a member of a works council (Section 6 (4), Sentence 2 of the German Federal Data Protection Regulation (BDSG)). In addition to asserting protection against dismissal, he asserted a claim for information under Article 15 of the GDPR regarding the personal data stored by the employer that concerned him. He also demanded copies of the data.

 

On June 26, 2019, the Hamelin Labor Court dismissed the employee’s (additional) claim for a copy of the data. The Lower Saxony State Labor Court then partially upheld the employee’s appeal on June 9, 2020. In response to the plaintiff’s appeal, the Federal Labor Court ruled and dismissed the action.

Analysis

The Lower Saxony State Labor Court assumed that the employee had a right to be provided with a copy of his personal data—namely, the data that he requested—but found that his right to a copy of the data did not extend to the requested copies of his email correspondence or other emails that mentioned him by name.

The Lower Saxony State Labor Court did not consider the email correspondence to be personal data within the meaning of Article 15 of the GDPR, because that article refers to data that is “the main subject of processing”—i.e., that provides a certain degree of information about the data subject. According to Recital 63 to the GDPR, the data controller (here, the employer) may request a specification of the requested information or processing operations by the data subject (here, the employee) if large amounts of information about the data subject are processed.  According to the state labor court, the employee’s request was not sufficiently specific, and the employer did not have to make copies indiscriminately. In addition, the right to information is limited to such documents that are not already available to the person requesting the information. In this case, the employee was already aware of his or her own email correspondence, and for that reason alone was not entitled to be provided with copies.

The Federal Labor Court rejected the employee’s appeal as inadmissible. Notably, the decision was based on purely procedural reasons, as the claim was not sufficiently specific under the German Code of Civil Procedure. The highest labor court therefore did not provide a comprehensive clarification regarding the full scope of claims for data copies.

The Federal Labor Court nevertheless clarified that a request that merely repeats the wording of the GDPR does not comply with the principle of certainty from Section 253 (2) No. 2 of the German Code of Civil Procedure (ZPO). Documents, such as emails, for which copies are to be provided, must be designated in a request so precisely that in any enforcement proceedings that may be required, it is beyond doubt as to which specific documents the obligation to provide information relates. In the event that such a specific request cannot (yet) be made because, for example, it is unclear which specific documents the employer holds, the request can be asserted in court by way of a step-by-step action pursuant to Section 254 ZPO. In such a case, the employee must first assert a claim for information and then formulate a concrete request for surrender once the information has been provided.

Key Takeaways

Thus, employers still cannot cite to this Federal Labor Court ruling on the scope and restriction of the right to information under applicable data protection regulations. Against this background, employers may want to draft restrictions on the right to information in compliance with the legal requirements of the GDPR. In this regard, the GDPR offers some leeway for drafting. Employers might therefore want to not take information claims lightly, but actively shape the context for these requests. Employers may also want to keep in mind that emails may contain the personal data of third parties to which an employee is not entitled, and the disclosure of such emails may violate the rights of third parties. In such cases, employers are required to check each individual email to determine whether it is subject to Article 15 of the GDPR, and, if necessary, purge the email of such data.

Author


Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more
Glass globe representing international business and trade
Practice Group

Cross-Border

Often, a company’s employment issues are not isolated to one state, country, or region of the world. Our Cross-Border Practice Group helps clients with matters worldwide—whether involving a single non-U.S. jurisdiction or dozens.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now