Earlier this year, CNIL, the French Data Protection Agency, issued a ruling that changed the confidentiality treatment accorded to employee evaluations under French law. CNIL ruled that employees must be able to review any evaluations written about them by their employers. The CNIL issued the ruling after receiving several complaints from employees of an (anonymous) multinational company, which refused to divulge the employees’ evaluations to employees upon request.
Whereas this information is generally considered to be confidential by the Human Resources Departments of French employers, the French Data Protection Agency recently indicated that an employee evaluation constitutes "data" that should be disclosed to a concerned employee, because such data is necessarily taken into consideration by the employer when making decisions affecting the employee, such as salary increases and promotions.
In so ruling, CNIL reasserts the longstanding French legal principle according to which an employee is entitled to access any human resources data which has been used in a decision-making process regarding the employee. Such a principle is based on Article 39 of the French Data Protection Act (dated January 6, 1978 and amended on August 6, 2004), which provides that any "natural person" (e.g. an employee) who provides "personal data" to a " data controller" (e.g. an employer) is entitled access any personal data relating to him.
Upon first glance, such a position might be seen as conflicting with Article L.121-7 of the French Labor Code which provides that employee evaluations must remain confidential, but the confidentiality obligation specified in the Labor Code has been interpreted by the French Ministry of Labor and courts to only apply to third parties—not the employee.
CNIL’s recent position on the disclosure of employee evaluations is shared by several other European Data Protection Authorities and, as a consequence, if multinational companies have a policy not to share with their employees the contents of their evaluations, such a policy should be reexamined in light of the CNIL’s ruling.