Ex-employee request for 8 years of e-mails, labelled excessive by Belgian data protection authority in new decision. What is an “excessive” data subject request under the GDPR has not often been discussed by authorities, so this case may be of interest – but careful generalising it too hastily, due to the facts.
Facts:
– X, the complainant, worked for 13 years at an organisation that supports adults with a disability, as person in charge of workshops. In the context of that role, X used during the last 8 years a “functional” e-mail address – which the decision suggests was something like workshops@company.com rather than firstname lastname@company.com
– Other people used that e-mail address (including another employee identified as Z)
– On GDPRday in 2021, 9 months after his employment contract had been terminated, X requested access to his personal data
– The organisation, as controller, responded with some documents, but refused to give access to the mailbox
During the proceedings before the Belgian DPA, the controller explained reasons for rejecting the request to access the mailbox – but that was too late, said the BDPA, because the reasons have to be explained in the response to the data subject.
However, the BDPA agreed with the controller’s position that the request was excessive. Here are the key excerpts:
“searching all emails concerning [X] for at least 8 years […] would impose a disproportionate workload on the [controller]. Moreover, the professional mailbox was used by different persons during several years. [X] also did not produce any evidence showing that the presence of private e-mails in the mailbox, nor does [X] provide specific e-mail addresses or other parameters on the basis of which targeted searches of the mailbox could be carried out
I have often seen the latter point being used by controllers in relation to individualised e-mail addresses as well, as this can be very relevant where a professional e-mail address is not meant to be used for personal/private reasons.
The BDPA also indicates that “no internal instructions indicate that [the employee] was required to put any labelling on the e-mails that are personal or to file them in a separate folder”. An opportunity to remind everyone of the importance of a good internal policy on e-mail/IT usage.
The BDPA concluded that “should any private e-mails be present, they cannot be retrieved by the [controller] with reasonable effort”. It added that it would not be acceptable to give access to all e-mails containing X’s personal data, as “the mailbox contains a lot of sensitive information, such as health data about the users of the [controller’s] services, namely adults with a disability”.
Conclusion: the request was excessive, and thus rightfully denied.
[The UK ICO’s guidance remains interesting in many respects, so do read that too]
Decision (in Dutch): https://lnkd.in/ewGByfvr
privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗