Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Data subjects have the right to request and obtain confirmation as to whether their personal data concerning is being processed. Where that is the case, individuals must be able to access their personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to: request rectification or erasure of personal data; request restriction of processing data concerning the data subject; or, to object to such processing;
- the right to lodge a complaint with a supervisory authority.
Every person may directly request that the data be corrected, completed, clarified or erased. The request might be sent directly to the data controller or to any other actor in the chain of processing. Processors and sub-processors are obligated to inform the data controller of requests and can only proceed under the controller’s instructions. Therefore, the processor shall, whenever possible, assist the data controller with data subjects’ requests.
As a general rule, the access request shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, a reasonable fee may be charged. Fees should take into account the administrative costs of providing the information or taking the action requested.
Requests must be answered within one month of receipt of the request. Any delay should be justified and accompany the request response. The format of the response should be based on the means used to make the request, unless otherwise requested by the data subject. In other words, if a request is emailed, the response should be via email unless the individual requests a mailed letter.
Where the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject. However, a reasonable proof of identity is always recommended.
Every person may contact its data protection authority within the European Economic Area (particularly if the right of access has been denied).
If a data controller causes harm to a data subject by collecting, processing or using an individual's personal data in violation of data protection regulations, the controller must compensate the data subject for the harm caused. There are no punitive damages under German law. The right to claim compensation also applies if the personal data is stored by non-automated procedures or filing systems. This obligation will not apply if the data controller has exercised due care in accordance with the circumstances of the specific case.
German Federal Data Protection Law
A few data subject rights were restricted in Germany's Federal Data Protection Act, including:
- Right of access: If an employee’s personal data is only stored to comply with statutory retention provisions, or for the purposes of data backup or monitoring, the access right doesn’t apply. The right also doesn’t apply in cases where giving access to the employee or individual would reveal confidential data (including private information on third parties or trade secrets). When access requests are refused, the reasons behind the refusal should be documented. Some higher labor courts have a broad understanding of “request for a copy of personal data” under Art. 15 (3) GDPR and have granted copies of records rather generously (including internal investigation reports).
• Right to erasure: The controller (i.e., the employer) is exempt from the obligation to erase personal data when erasure is, in case of non-automatic data processing, impossible, or only possible with disproportionately high effort and the data subject has a minor interest for erasure.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.