Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Employees and the dreaded data subject access request

October 25, 2018By Preiskel & Co

The right of an individual to obtain copies of their personal data from a company is a key element of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 (which adopts the GDPR and supplements the GDPR requirements). But when the individual seeking the information is a current employee, it can be difficult to find the right balance between disclosure and protecting your company’s legitimate interests.

Rights to access: the legal framework

In the United Kingdom, an individual’s right to access data concerning him or her has been a key part of data protection legislation since at least the Data Protection Act 1984. Over the last 35 years however, the information held by companies which constitutes personal data has expanded exponentially, thanks to both technological innovations as well as how “personal data” is defined and the wide interpretation of “personal data” given by the courts.

The right of an individual to request access to and copies of their personal data is enshrined in the data subject protections established by the GDPR. It is also a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02), wherein Article 8(2) states that “everyone has the right of access to data” which is collected about them.

DSARs in an employment context

Clearly, this right extends to employees. In such circumstances, data subject access requests (“DSARs”) are frequently made in light of employment disputes, or even tribunal or court claims. Article 12 of the GDPR sets out what information the individual is permitted to, which includes (by way of summary) a copy of the personal data in question, together with the purpose for which the personal data is being used, and the recipients of the data.

A company’s obligations and rights when considering a DSAR

Responding to a DSAR can involve considerable effort and time, as well as an analysis of the employee’s objectives. If proper procedures are not in place, the employer runs the risk of violating its obligations under the GDPR.

As a controller of the individual’s personal data, the employer is obliged to handle the employee’s request in a fair and transparent way. The employer must likewise facilitate the employee’s exercise of their rights, and do so in a manner which is concise, intelligible and easily accessible, using clear and plain language (Article 12 GDPR). Furthermore, the request must be acknowledged and dealt with without undue delay, and in any event within 30 days of receipt. Only in certain circumstances is an additional two-month extension to handle the request permitted.

Exceptions in the context of Employee Disputes

In most cases, an employer will be required to action a request by responding. However, it is important to note – especially in the context of employment disputes – that some circumstances permit an employer to limit the information provided to the data subject, or refuse the request entirely.

By way of example, if an individual’s request is very wide, the employer may argue that it is “manifestly unfounded or excessive.” In such instances, the employer could seek to charge a fee or refuse to act on the request. Likewise, there is no obligation to comply with a subject access request if legal professional privilege applies, nor is there a general obligation to release personal data which is used for the purposes of management planning, where doing so would prejudice the conduct of the business.

Despite the exemption which may apply, employers must be very careful when handling DSARs from dissatisfied or potentially litigious employees. If a data subject believes that the employer has failed to comply with the requirements of the access request, they are entitled to challenging the response by complaining to the Information Commissioner, and/or applying to a court for a compliance order.

Ignoring the DSAR won’t make it go away.

Whether a data subject access request is granted or not, the response must be acknowledged properly. The response to employees must adhere to prescriptive legislation and tight deadlines. Given the potential technical complexity, reputational risks and other HR-related nuances, an organisation must ensure that it has adequate procedures in place, and that its staff working on the subject access request have sufficient training.

 

Please contact Jose Saras if you have any questions regarding the above.

Latest Preiskel & Co blog posts
  • CMA AI Report: The Foundation of the UK’s AI Response
    September 21, 2023
  • Navigating Health Data Compliance: A Roadmap for Employers
    September 21, 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
    September 15, 2023
  • Practical Guide – Net Neutrality in the UK
    September 14, 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause
    September 12, 2023
  • Getting out of a (data) scrape: global statement published for the protection of publicly accessible personal data online
    September 8, 2023
  • The dark side of design: the ICO and CMA call for businesses to rethink their website layouts
    August 18, 2023
  • Could the Supreme Court’s ruling on litigation funding agreements cause havoc for litigation funders?
    August 17, 2023
  • US Threats of a ‘Te(ch)xodus’ from the UK?
    August 17, 2023
  • Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision
    August 4, 2023
  • Unlocking Data Flows: EU-US Data Privacy Framework Receives Adequacy Decision
    July 13, 2023
  • UK’s World Leading Approach on Artificial Intelligence – White Paper outlines 5 guideline principles for responsible use of AI
    July 5, 2023

The Preiskel Blog

  • CMA AI Report: The Foundation of the UK’s AI Response 21 Sep 2023
  • Navigating Health Data Compliance: A Roadmap for Employers 21 Sep 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK 15 Sep 2023
  • Practical Guide – Net Neutrality in the UK 14 Sep 2023

Preiskel news

  • Tim Cowen, Chair of Antitrust Practice, Preiskel & Co, quoted in The Times
  • Practical Guide – Net Neutrality in the UK
  • Danny Preiskel featured in GCCM Magazine (June/July 2023 issue 55)  
  • Danny Preiskel moderating a panel at the MEF Connects – The Future of Fraud Prevention event (5th September 2023, hybrid)
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy