Future of work: What to do with GDPR/data subject access requests


Share

Since the GDPR came into force there has been a rise in subject access requests (SARs).

An employee has the right to obtain information from an employer as to whether or not personal data is being processed about him or her. Personal data is information relating to an individual from which they can be identified. If personal data is being processed, the employee is entitled to be given a copy of this personal data. This must be provided free of charge, without undue delay and, in most cases, within one month of receipt of the request.

Although an employer must make genuine and extensive efforts to comply with a SAR, it does not have to go so far as to leave no stone unturned. Subject access requests are subject to the principle of proportionality, and although an employer should be prepared to make extensive efforts to find and retrieve the requested information, it is not required to do things that would be unreasonable or disproportionate to the importance of providing subject access. You may suspect the employee has ulterior motives but that isn't relevant. The starting point for the ICO is that they have a right to their personal data.

Insight

HR Law - July 2022

Explore
News

Trowers promotes 10 to partnership

Explore
Insight

Draft legislation introduced making it easier for employers to hire agency staff to cover striking workers

Explore
Insight

New Regulations expand the category of people able to sign off "fit notes" 

Explore
Insight

Statutory Code on fire and rehire to be published in the summer

Explore
Insight

Ironing out tricky holiday issues

Explore