Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • D A T Green
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
    • Rachael Machado
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Employees and the dreaded data subject access request

October 25, 2018By Preiskel & Co

The right of an individual to obtain copies of their personal data from a company is a key element of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 (which adopts the GDPR and supplements the GDPR requirements). But when the individual seeking the information is a current employee, it can be difficult to find the right balance between disclosure and protecting your company’s legitimate interests.

Rights to access: the legal framework

In the United Kingdom, an individual’s right to access data concerning him or her has been a key part of data protection legislation since at least the Data Protection Act 1984. Over the last 35 years however, the information held by companies which constitutes personal data has expanded exponentially, thanks to both technological innovations as well as how “personal data” is defined and the wide interpretation of “personal data” given by the courts.

The right of an individual to request access to and copies of their personal data is enshrined in the data subject protections established by the GDPR. It is also a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02), wherein Article 8(2) states that “everyone has the right of access to data” which is collected about them.

DSARs in an employment context

Clearly, this right extends to employees. In such circumstances, data subject access requests (“DSARs”) are frequently made in light of employment disputes, or even tribunal or court claims. Article 12 of the GDPR sets out what information the individual is permitted to, which includes (by way of summary) a copy of the personal data in question, together with the purpose for which the personal data is being used, and the recipients of the data.

A company’s obligations and rights when considering a DSAR

Responding to a DSAR can involve considerable effort and time, as well as an analysis of the employee’s objectives. If proper procedures are not in place, the employer runs the risk of violating its obligations under the GDPR.

As a controller of the individual’s personal data, the employer is obliged to handle the employee’s request in a fair and transparent way. The employer must likewise facilitate the employee’s exercise of their rights, and do so in a manner which is concise, intelligible and easily accessible, using clear and plain language (Article 12 GDPR). Furthermore, the request must be acknowledged and dealt with without undue delay, and in any event within 30 days of receipt. Only in certain circumstances is an additional two-month extension to handle the request permitted.

Exceptions in the context of Employee Disputes

In most cases, an employer will be required to action a request by responding. However, it is important to note – especially in the context of employment disputes – that some circumstances permit an employer to limit the information provided to the data subject, or refuse the request entirely.

By way of example, if an individual’s request is very wide, the employer may argue that it is “manifestly unfounded or excessive.” In such instances, the employer could seek to charge a fee or refuse to act on the request. Likewise, there is no obligation to comply with a subject access request if legal professional privilege applies, nor is there a general obligation to release personal data which is used for the purposes of management planning, where doing so would prejudice the conduct of the business.

Despite the exemption which may apply, employers must be very careful when handling DSARs from dissatisfied or potentially litigious employees. If a data subject believes that the employer has failed to comply with the requirements of the access request, they are entitled to challenging the response by complaining to the Information Commissioner, and/or applying to a court for a compliance order.

Ignoring the DSAR won’t make it go away.

Whether a data subject access request is granted or not, the response must be acknowledged properly. The response to employees must adhere to prescriptive legislation and tight deadlines. Given the potential technical complexity, reputational risks and other HR-related nuances, an organisation must ensure that it has adequate procedures in place, and that its staff working on the subject access request have sufficient training.

 

Please contact Jose Saras if you have any questions regarding the above.

Latest Preiskel & Co blog posts
  • New EU rules to boost IoT data sharing: the EU Data Act
    March 30, 2023
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data
    March 28, 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets
    March 22, 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape
    March 22, 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill
    March 17, 2023
  • Stormy weather for cloud computing in the EU
    March 16, 2023
  • Inmarsat Takeover Provisionally Cleared for Take-Off
    March 10, 2023
  • EDPB’s Feedback on the New EU-U.S. Data Privacy Framework
    March 6, 2023
  • UK Data Reform Bill to return to the House of Commons
    March 3, 2023
  • DCMS Publishes New Security and Privacy Principles for App Store Operators and Developers
    February 16, 2023
  • DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling
    February 14, 2023
  • ICO – Change of Deadline for Reporting Breach Notifications for Communication Service Providers
    February 6, 2023

The Preiskel Blog

  • New EU rules to boost IoT data sharing: the EU Data Act 30 Mar 2023
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data 28 Mar 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets 22 Mar 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape 22 Mar 2023

Preiskel news

  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, will be a panellist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
  • Ronnie Preiskel chosen to judge 24 May 2023 The Tech Capital Global Awards
Preiskel tweets
  • New EU rules to boost IoT data sharing: the EU Data Act. Find out more at: https://t.co/1OUHlssIOByesterday
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data. Find out more here: https://t.co/bJkvPBvj6F3 days ago
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill. Find out more: https://t.co/3BHP1xq69Y9 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy