A recent decision from the French Court of Appeal (available here in French) has confirmed that employees cannot rely on their right of access to obtain copies of entire work email correspondence or business files, merely because their name or email address appears in them. Where the material contains no substantive personal data beyond identifying information, the right of access does not extend to wholesale document disclosure.

This will be welcomed by data controllers, who regularly face broad, tactical and (increasingly) AI generated DSARs from employees, particularly following grievances, dismissals or during settlement negotiations.

Background

An accounting inspector was dismissed by a French notaries' association for professional incompetence. Following his dismissal, he requested all emails sent and received via his work email account, plus files stored on his computer. The employer refused, so the employee brought proceedings arguing that he was entitled to this material under the GDPR. The Court of Appeal rejected his claim.

What the Court said

The Court outlined the following, regarding the right to access personal data under the GDPR:

'The purpose of [Article 15] is not to obtain a copy of the email correspondence sent or received by the employee in the course of their work, which they have, by definition, had full access to, and which, unless they can prove otherwise that it is personal, contains only their identification (here, Mr [K]'s email address and name) as personal data.'

The Court went on to confirm that the right of access 'aims to allow the person exercising it to verify the compliance of the processing of their personal data with the requirements of the regulation, to verify the accuracy of the data and, if necessary, to have it rectified or erased.' This is useful in emphasising that the right of access is not a litigation discovery mechanism.

The Court was satisfied that the employer had fulfilled its obligations under Article 15 of the GDPR, and that the request for all work emails and business files went beyond what the law requires.

ICO and EDPB guidance

The French decision reflects the ICO guidance. The ICO's Right of Access Guidance (Guidance) provides an almost identical example,  where emails copy  in an employee, but "other than their name and email address, the content of the emails does not relate to the employee" the employer need not provide copies of each email. Instead, it's enough to confirm the existence of those emails and the identifying information they contain. The Guidance also states that "just because the requester is the recipient of an email does not mean the whole content of the email is their personal information."

From the European perspective, this is consistent with the EDPB guidelines on the data subject rights which effectively make the same point: 

"...the obligation to provide a copy is not designed to widen the scope of the right of access: it refers (only) to a copy of the personal data undergoing processing, not necessarily to a reproduction of the original documents." [para 23]

Simply appearing as a name in a 'To' or 'CC' field doesn't transform the entire email into the recipient's personal data. 

Looking ahead

Whilst this French decision isn't binding in the UK, it reflects a sensible (and consistent) interpretation of Article 15 that aligns with ICO guidance and EDPB positions. For employers grappling with DSARs from disgruntled staff, it provides useful authority for pushing back on this type of request. 

That said, employers must still assess carefully whether emails or files contain substantive personal data about the requester. Where they do, and where context is necessary to make that data intelligible, disclosure may be required.

The key point is that simply appearing in the "To" or "CC" field does not transform an entire mailbox into the employee's personal data.