Can directors of individual departments in a company have access to leave plans of all employees or only their own department?

ANSWER

As a rule, the GDPR does not directly regulate the issue indicated. It is for the data controller to decide each time to whom and to what extent to grant authorisations to process personal data within the controller's organisation. If the data controller considers it necessary for directors of individual departments to have access to leave plans of all employees of the company so that the company does not suffer downtime, can function normally, etc., it should grant them appropriate authorisations in this respect. If, however, there is no such necessity, granting authorisations may breach the integrity and confidentiality principle under Article 5(1)(f) GDPR. It is for the data controller to decide each time who should have access to personal data and to which data within the controller's organisation, having regard to the need-to-know principle.