This article was published on May 3, 2018

No, GDPR won’t let you read your boss’ emails about you

There's been some confusion as to the extent of the EU's new Genereal Data Protection Regulation.


No, GDPR won’t let you read your boss’ emails about you

The General Data Protection Regulation (GDPR) is Europe’s new massive move towards a modern legal framework to protect our rights in the digital age. It’s a daunting undertaking and the goal is admirable, but as with many EU initiatives, it’s ripe for misinterpretations.

GDPR is an incredibly complex matter and it’s hard for a regular layman to wrap his head around it (I’ve had to rectify a few mistakes in my reporting on it). When reputable outlets like The Guardian publish stories like “New Europe law makes it easy to find out what your boss has said about you,” it’s understandable how some people can get the wrong impression they could request their boss’ emails mentioning their names. I mean, what information does a normal person have to refute that?

Having had a few run-ins with GDPR’s vast complexity, I had a hard time believing that any employee in Europe could at any point request such massive amounts of data in only 30 days. It can be an extremely expansive and time-consuming endeavor because the employer would need to make sure that it didn’t include the personal information of other employees.

That’s why TNW spoke with Sarah Zadeh — Junior Associate at Kneppelhout & Korthals specializing in IT and privacy — and asked her if it was true that thanks to GDPR, you could get copies of your boss’ emails about you.

Will the real GDPR please stand up?

“No, it’s definitely not true! Based on the GDPR, you will not be able to gain access to the personal messages of your boss if he mentions you in them,” she told TNW.

Zadeh explains that it’s true that you can request access to your ‘personal data’ which your company keeps on you, that’s any data which relates to an identified or identifiable living individual. However, European case law clearly states that data such as emails your boss has sent about you is exempt from this.

“The reason behind this exemption is that those internal messages contain the personal thoughts of your boss. The right of access does not extend to all the personal messages, thoughts and ideas people have about you. So, based on the GDPR, you will not be able to access them,” says Zadeh.

While that’s bad news for those of us dying to know how our boss really feels about us, wouldn’t this tool be easily exploitable for disgruntled employees? Having tons of request for all the personal data could easily drain a lot of resources for a mid-sized company. Zadeh says that it isn’t really possible to force a company to hand over data for vengeful purposes — because the requests can actually be denied.

You can’t bankrupt your employer using GDPR

“If an individual sends, as the GDPR states, ‘manifestly unfounded and excessive’ requests — in particular because of their repetitive character — you may charge a reasonable fee, taking into account the administrative costs of providing the information, or you may refuse to act on the request of the individual,” says Zadeh.

She adds that when you refuse, you must explain (without undue delay at the latest within one month) why you have denied the employee’s request. You also need to inform him of his right to complain to the supervisory authority, as well as his right to bring his case to court.

The option is therefore available, but there are also processes in place to combat abuse. But why does the EU feel the need to open up the possibilities for such abuse? Facebook and other huge social media sites are one thing — with their data permeating all facets of our lives — but is it really so important for us to be able to request the personal data our employers have on us?

For Zadeh, it doesn’t matter who stores your data: personal data is personal data. “The philosophy behind the law is that individuals should have the right to access their personal data in order for them to be aware whether someone is processing it. Also to verify if there’s a legal and valid basis for the processing of their personal data.”

However, according to Zadeh, the right of access isn’t something new as it already exists under the former Data Protection Directive.

The only tool left: Directness

Since GDPR won’t be of much help to any of us when it comes to finding out what our bosses say about us behind our back, I tried a bold tactic instead. I asked TNW’s Editor-in-Chief, Alejandro Tauber, directly whether I could get access to the emails he’s sent about me.

His reply was short and… not so sweet.

“You’re pretty conceited to think I’d be interested in emailing about you.”

Ouch.

The Next Web’s 2018 conference is just a few weeks away, and it’ll be ??. Find out all about our tracks here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.