Frequently asked questions

Article 15 of the GDPR gives every individual, including current and former employees, the right to confirm whether their personal data is being processed and to obtain a copy of that data. In a professional context, this can cover a wide range of information: emails, HR records, performance reviews, internal communications, and more.

The employer must provide all personal data relating to the employee, regardless of format: professional emails, HR documents (contracts, reviews, disciplinary records), data from internal tools, and communications containing identifiable information. This obligation is balanced against third-party rights, confidentiality, and trade secrets.

In principle, yes. Professional emails containing the employee's personal data fall within the scope of the right of access. However, this right is not absolute — the employer must identify relevant emails, exclude or redact information about third parties, and protect sensitive content. If the request is too broad (e.g. years of emails without any filter), the employer can ask the employee to narrow it.

Yes, provided an exchange contains personal data relating to the employee. Excluded are communications of a private nature and exchanges with no connection to the employee's personal data.

The right of access must be balanced with other legal obligations. Certain information must be excluded or protected: professional privilege (particularly legal correspondence), medical confidentiality, third-party personal data (to be anonymised or redacted), and trade secrets. Private communications remain out of scope even when sent using company tools.

Yes. The right of access can be limited if the request infringes third-party rights, concerns confidential information, or involves a disproportionate effort. These limitations must be justified and documented.

The company must implement redaction and anonymisation mechanisms to prevent unauthorised disclosure of personal data relating to other individuals.

The company has one month to respond. This deadline can be extended by two months in cases of complexity or high volume, provided the requester is informed of the extension.

Yes, in certain cases: if the request is manifestly unfounded or excessive, imprecise or unworkable, or involves a disproportionate impact on third-party rights or confidentiality. For example, a request seeking documents with no direct connection to the employee's personal data may be refused. The refusal must be justified and documented.

Failure to comply with the right of access can result in administrative sanctions (fines), orders from the supervisory authority, and litigation risks (particularly employment tribunal proceedings).

The process typically follows these steps: 1) identity verification, 2) identification of data sources, 3) data collection, 4) analysis and sorting, 5) redaction, 6) producing the response.

The process involves multiple teams: DPO, HR, IT, and Legal. This cross-functional nature makes handling requests complex and time-consuming.

Data is often scattered across email systems, HR tools, internal servers, and collaboration platforms. A data source mapping is essential to ensure nothing is missed.

Processing can take anywhere from a few days to several weeks, depending on the volume of data, the number of systems involved, and the legal complexity of the request.

Manual processing quickly reaches its limits. It is necessary to filter relevant data, automate searches, and accelerate document analysis to meet legal deadlines.

Redaction involves masking third-party data, confidential information, and protected content (legal privilege, medical confidentiality, etc.). The process must be thorough and auditable.

Compliance relies on a clear methodology, documented decision-making, and full traceability of every step in the process.

The company can ask for clarification on the time period, type of documents, or keywords involved. A request requiring the analysis of massive volumes can be narrowed to remain proportionate.

Yes. A request can be refused if it is excessively repeated, manifestly abusive, or filed for improper purposes — for example, multiple similar requests submitted in rapid succession.

Companies look to standardise processes, automate repetitive tasks, and reduce processing times and costs. Dedicated solutions make it possible to achieve this at scale.

Pinda is a platform that streamlines the end-to-end processing of employee GDPR access requests. It brings structure, clarity, and efficiency to every stage — from intake to delivery — so your teams can respond faster and with greater confidence.

Pinda provides a structured workflow that guides your teams through data collection, document analysis, personal data identification, and redaction. By removing friction and manual coordination overhead, it turns a complex, multi-team effort into a smooth, repeatable process.

Pinda works with emails, HR documents, internal files, and attachments across a wide range of sources and formats, giving your teams a unified view of all relevant data.

Pinda uses AI to help detect sensitive information, identify third-party data, and suggest redactions in line with GDPR requirements — accelerating the most time-consuming part of the process while keeping your team in control of every decision.

Yes. Pinda is designed in close collaboration with legal experts to align with regulatory requirements and data protection best practices at every step.

By streamlining coordination, reducing manual effort, and accelerating document review, Pinda can turn what typically takes weeks into a matter of hours — freeing your teams to focus on higher-value work.

Not at all. Pinda empowers your existing teams by removing the repetitive, low-value tasks that slow them down. DPOs, lawyers, and HR professionals stay in charge of every decision — Pinda simply makes their work faster and easier.

Pinda connects with your email platforms, HR tools, and document management systems to centralise data collection — no need to overhaul your existing infrastructure.

Yes. Pinda ensures data confidentiality and access security through encryption, role-based access controls, and comprehensive audit logs for full traceability.

Pinda is designed for organisations with significant employee headcounts, those facing growing volumes of access requests, or any company looking to bring structure and efficiency to their GDPR compliance process.