Future of work: What to do with GDPR/data subject access requests


Share

Since the GDPR came into force there has been a rise in subject access requests (SARs).

An employee has the right to obtain information from an employer as to whether or not personal data is being processed about him or her. Personal data is information relating to an individual from which they can be identified. If personal data is being processed, the employee is entitled to be given a copy of this personal data. This must be provided free of charge, without undue delay and, in most cases, within one month of receipt of the request.

Although an employer must make genuine and extensive efforts to comply with a SAR, it does not have to go so far as to leave no stone unturned. Subject access requests are subject to the principle of proportionality, and although an employer should be prepared to make extensive efforts to find and retrieve the requested information, it is not required to do things that would be unreasonable or disproportionate to the importance of providing subject access. You may suspect the employee has ulterior motives but that isn't relevant. The starting point for the ICO is that they have a right to their personal data.

Insight

Employee shareholder status was not terminated by subsequent service agreement

Explore
Insight

Whistleblowing and reasonable belief in public interest

Explore
Insight

Holidays for term-time only workers not subject to pro rata reduction

Explore
Insight

WEC proposes changes to enforcement of discrimination rights

Explore
Insight

Updated guidance launched by Home Office on modern slavery victims

Explore
Insight

ICO guidance on data subject requests updated

Explore