Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Netherlands
CMS Netherlands Abroad
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Press
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
English Nederlands
Legal Update

GDPR right of access in employment disputes: a growing dilemma for employers

17 Jun 2026 Netherlands 8 min read

An employer starts an internal investigation into an employee and receives an access request from the employee under Article 15 of the General Data Protection Regulation (GDPR). More and more, employees are using GDPR right of access to gather evidence for ongoing or contemplated proceedings and in doing so, the right of access is being used for a purpose that Article 194 of the Dutch Code of Civil Procedure (DCCP) is actually intended: obtaining access to documents for evidentiary purposes. 

For employers, this raises difficult considerations. 

First, does the employer have to comply with the access request? Usually, yes. The defence that the employee is using the request for a purpose other than the one for which it was intended rarely succeeds. 

Second, how should the employer comply? This is where the greatest risk lies. If too little is provided, complaints, proceedings and additional costs may follow. If too much is shared, privacy interests of third parties may be harmed, the integrity of an internal investigation may be jeopardised or the employer may undermine its own litigation position. 

In this article, we discuss how employers should deal with these considerations, where the limits of the GDPR right of access lie and the practical steps that can be taken.

Why employees choose Article 15 GDPR instead of Article 194 DCCP

Since 1 January 2025, an employee can (also) claim access to documents under Article 194 DCCP without court intervention. Previously, the employee first had to go to the court for this. That right is, however, subject to conditions: the employee must be a party to the legal relationship, the request must concern specifically identified documents and the employee must have a sufficient interest in access. In addition, the requesting party bears the costs. 

On these points, the GDPR right of access is more attractive: the employee does not have to specify exactly which documents he or she wants to inspect, does not have to assert a procedural interest and in principle it is free of charge. In addition, the employee can exert pressure by threatening a complaint to the Dutch Data Protection Authority (DPA) if the employer does not respond adequately. This makes Article 15 GDPR a more attractive tool for employees to gather evidence.

Abuse of rights: a defence that rarely succeeds

A frequently used defence by employers is that the employee, by submitting an access request with the aim of gathering evidence, is committing an “abuse of rights” (i.e. the employee is using the request for a purpose other than that for which it is intended). That defence almost never succeeds. The fact the employee uses the access request to collect evidence, exert pressure or prepare a damages claim is insufficient. CJEU case-law shows that the employer must prove that the request is not aimed at Article 15 GDPR: insight into the processed personal data and verification of its accuracy and lawfulness. If the employee, however, makes it plausible he or she is also seeking in-sight into the processing of personal data, the defence cannot succeed.

A 19 March 2026 CJEU judgment illustrates this. The applicant registered – according to the defendant, systematically – for newsletters from all kinds of parties with the aim of submitting an access request shortly afterwards and claiming damages if the request was not handled properly. The CJEU acknowledges that, in such a case, there could be an abuse of rights, but emphasised that the threshold is high: the employer must demonstrate that the request was not also made to learn how personal data was being processed or check its lawfulness and accuracy. In practice, demonstrating this is not easy.

The above does not alter the fact that, in exceptional cases, employers may, under Article 12(5) GDPR, charge a reasonable fee or refuse to comply with the request if a request is manifestly unfounded or excessive. That exception, however, is also applied restrictively and rarely accepted.

Limits to the GDPR right of access: what must and must not be provided?

If an argument based on abuse of rights does not succeed, that does not automatically mean that the employer must provide everything in full. When assessing which personal data must be shared, the employer must determine whether a statutory exception applies. This includes, among other things, protecting the rights and freedoms of others (including the employer itself), the integrity of an ongoing investigation, and the preparation of the employer’s own legal position and litigation strategy.

The exceptions must be interpreted restrictively. In practice, they often do not lead to a complete refusal, but rather to the provision of only certain documents or the redaction of certain information. The employer must assess, per document – and usually even word by word — what must be provided and what information may or must be redacted.

If the employer cannot successfully invoke abuse of rights or a statutory exception, it must provide all requested personal data in full within one month of receipt of the request – even if the internal investigation is still ongoing. This may include copies of documents, internal notes, emails and assessments.

If an external investigation agency is engaged, it will often qualify as an independent controller. The employer is then required to inform the employee about the sharing of personal data with that agency. This does not mean, however, that an investigation report must be provided, but the employee may be entitled to access their personal data included in it.

In practice, the key question is often not whether the employer must respond, but how. That is why a careful assessment of each document is essential.

What this means for employers: balancing two risks

An employee can use an access request to obtain information that is relevant to his or her evidentiary position. The possibilities for fully preventing this are limited: the employer cannot ignore the request and a defence based on abuse of rights rarely succeeds. The employer must respond to the request, and this is a labour-intensive and legally complex process requiring that an assessment be made document by document and even word by word.

Both extremes are risky. If too little is provided or too much is redacted, the employee may file a complaint with the DPA or initiate civil proceedings with all associated costs. If too much is provided, the employer may disclose personal data of third parties, commercially sensitive information or information that weakens its litigation position by sharing information that may later be used against it. Responding too late, or insufficiently explaining why certain information is not provided or has been redacted, can also prove costly. The best way to limit adverse consequences and costs after the fact is to invest sufficient expertise and time at the outset in assessing and responding to the access request.

Practical guidance for employers

  • Assess each access request carefully and determine whether it may be connected with a parallel dispute or investigation. That does not determine whether the access request must be answered, but it can influence how the request should be complied with.
  • Monitor the statutory response period of one month. If the request is complex or there are multiple requests, the period may, in certain circumstances, be extended by a maximum of two months. In that case, inform the employee of the extension within the first month in accordance with the requirements of Article 12(3) GDPR.
  • Identify at an early stage which exceptions may apply, such as protecting the rights and freedoms of others or preparing your own legal position. For relevant exceptions, consider, among other things, Article 15(4) GDPR and Article 41 of the Dutch GDPR Implementation Act.
  • Set up a clear internal process for handling GDPR access requests, so that requests are dealt with in a timely, consistent and documented manner.
  • Be alert to manifestly unfounded or excessive requests. In exceptional cases, the employer may, under Article 12(5) GDPR, charge a reasonable fee or refuse the request. Always substantiate and document this carefully.
  • Justify any full or partial refusal and inform the employee of the possibility of filing a complaint with the DPA or bringing an appeal before the courts. Also provide a proper explanation if certain parts have been redacted.
  • Ensure that the processing of personal data within the organisation does not conflict with the GDPR since shortcomings may come to light through an access request.
  • Involve legal expertise in good time, especially where an access request is linked to an employment-law dispute. In practice, those costs can be significantly lower than the costs of proceedings, enforcement actions, remedial measures or a weakened litigation position afterwards.

Contact

For more information on the interplay between the GDPR right of access and evidence gathering in civil proceedings contact your CMS client partner or the CMS experts who contributed to this article.

More insights
Employment, Labour & Pensions

Explore more

Event Netherlands

On the Pulse webinar series 2026 - Spring/Summer

30 Jun 2026
Publication Netherlands

The dormant employment agreement awakens

04 Jun 2026 4 min read
Expert Guide International

Remote Working Laws & Regulations in the Netherlands

17 min read
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.