Future of work: What to do with GDPR/data subject access requests


Share

Since the GDPR came into force there has been a rise in subject access requests (SARs).

An employee has the right to obtain information from an employer as to whether or not personal data is being processed about him or her. Personal data is information relating to an individual from which they can be identified. If personal data is being processed, the employee is entitled to be given a copy of this personal data. This must be provided free of charge, without undue delay and, in most cases, within one month of receipt of the request.

Although an employer must make genuine and extensive efforts to comply with a SAR, it does not have to go so far as to leave no stone unturned. Subject access requests are subject to the principle of proportionality, and although an employer should be prepared to make extensive efforts to find and retrieve the requested information, it is not required to do things that would be unreasonable or disproportionate to the importance of providing subject access. You may suspect the employee has ulterior motives but that isn't relevant. The starting point for the ICO is that they have a right to their personal data.

Insight

Thinking Business – Issue Seven

Explore
Insight

IR35 compliance update

Explore
Insight

Legal implications of the Mencap decision

Explore
Insight

HR Law – February 2020

Explore
Insight

Parental bereavement leave regulations laid before Parliament

Explore
Insight

Data protection: compliance with subject access requests

Explore