Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Mor Swiel
    • Ilanit Appelfeld
    • Charles Soden-Bird
    • Nick Bromfield
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Matthew Fox
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Galyna Carey
    • Stephen Hornsby
    • Claire Barraclough
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Employees and the dreaded data subject access request

October 25, 2018By Preiskel & Co

The right of an individual to obtain copies of their personal data from a company is a key element of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 (which adopts the GDPR and supplements the GDPR requirements). But when the individual seeking the information is a current employee, it can be difficult to find the right balance between disclosure and protecting your company’s legitimate interests.

Rights to access: the legal framework

In the United Kingdom, an individual’s right to access data concerning him or her has been a key part of data protection legislation since at least the Data Protection Act 1984. Over the last 35 years however, the information held by companies which constitutes personal data has expanded exponentially, thanks to both technological innovations as well as how “personal data” is defined and the wide interpretation of “personal data” given by the courts.

The right of an individual to request access to and copies of their personal data is enshrined in the data subject protections established by the GDPR. It is also a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02), wherein Article 8(2) states that “everyone has the right of access to data” which is collected about them.

DSARs in an employment context

Clearly, this right extends to employees. In such circumstances, data subject access requests (“DSARs”) are frequently made in light of employment disputes, or even tribunal or court claims. Article 12 of the GDPR sets out what information the individual is permitted to, which includes (by way of summary) a copy of the personal data in question, together with the purpose for which the personal data is being used, and the recipients of the data.

A company’s obligations and rights when considering a DSAR

Responding to a DSAR can involve considerable effort and time, as well as an analysis of the employee’s objectives. If proper procedures are not in place, the employer runs the risk of violating its obligations under the GDPR.

As a controller of the individual’s personal data, the employer is obliged to handle the employee’s request in a fair and transparent way. The employer must likewise facilitate the employee’s exercise of their rights, and do so in a manner which is concise, intelligible and easily accessible, using clear and plain language (Article 12 GDPR). Furthermore, the request must be acknowledged and dealt with without undue delay, and in any event within 30 days of receipt. Only in certain circumstances is an additional two-month extension to handle the request permitted.

Exceptions in the context of Employee Disputes

In most cases, an employer will be required to action a request by responding. However, it is important to note – especially in the context of employment disputes – that some circumstances permit an employer to limit the information provided to the data subject, or refuse the request entirely.

By way of example, if an individual’s request is very wide, the employer may argue that it is “manifestly unfounded or excessive.” In such instances, the employer could seek to charge a fee or refuse to act on the request. Likewise, there is no obligation to comply with a subject access request if legal professional privilege applies, nor is there a general obligation to release personal data which is used for the purposes of management planning, where doing so would prejudice the conduct of the business.

Despite the exemption which may apply, employers must be very careful when handling DSARs from dissatisfied or potentially litigious employees. If a data subject believes that the employer has failed to comply with the requirements of the access request, they are entitled to challenging the response by complaining to the Information Commissioner, and/or applying to a court for a compliance order.

Ignoring the DSAR won’t make it go away.

Whether a data subject access request is granted or not, the response must be acknowledged properly. The response to employees must adhere to prescriptive legislation and tight deadlines. Given the potential technical complexity, reputational risks and other HR-related nuances, an organisation must ensure that it has adequate procedures in place, and that its staff working on the subject access request have sufficient training.

 

Please contact Jose Saras if you have any questions regarding the above.

Latest blog posts
  • European Commission proposal for Digital Services Act published
    December 15, 2020
  • Facebook faces antitrust lawsuits in the US
    December 11, 2020
  • CMA issues advice for Government on regulatory regime for tech giants
    December 10, 2020
  • New Telecoms Security Law Laid before Parliament for tougher Rules and Fines for Telecoms Companies
    November 25, 2020
  • New Ofcom Consultation on Copper Retirement
    November 23, 2020
  • European Commission releases draft new Standard Contractual Clauses
    November 19, 2020
  • National Security and Investment Bill published
    November 16, 2020
  • Inherited GDPR breach still leads to a record fine for Marriott
    November 3, 2020
  • UK National Data Strategy: a step further away from an adequacy decision under the GDPR?
    October 21, 2020
  • British Airways issued £20 million fine by ICO for data breach
    October 20, 2020
  • Consumer rights in times of COVID-19: key issues to be considered by traders
    September 17, 2020
  • TuneIn limits international radio streaming services following English High Court judgment
    September 16, 2020
The Preiskel Blog
  • European Commission proposal for Digital Services Act published 15 Dec 2020
  • Facebook faces antitrust lawsuits in the US 11 Dec 2020
  • CMA issues advice for Government on regulatory regime for tech giants 10 Dec 2020
  • New Telecoms Security Law Laid before Parliament for tougher Rules and Fines for Telecoms Companies 25 Nov 2020
Preiskel news
  • Tim Cowen to deliver Oxford lecture on 12 February 2021
  • CMA announces investigation into Google Privacy Sandbox
  • Preiskel advised Dubber’s acquistion of UK mobile recording company Speik
  • Tim Cowen to speak at Cornerstone Panel on 15 December 2020
Preiskel tweets
  • We can't wait to hear what @TC_4KBW has to say when he delivers a guest lecture for @OxfordLawFac on searching for… https://t.co/ko8Kk44aTm8 days ago
  • We're delighted to see this announcement, following a complaint from Marketers for an Open Web, advised by @TC_4KBW https://t.co/JG1D3gWwRF8 days ago
  • The @EU_Commission has published its proposal for a Digital Services Act to regulate digital gatekeepers. More det… https://t.co/Q5v8C8E9hq32 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel:
+44 20 7332 5640
Email:
info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2021 | Site map | Legal notices | Privacy | Cookie Policy

   

We use essential and analytic cookies on our website. By continuing to use our site, you are agreeing to the use of cookies as set in our Cookie Policy. OKCookie policy