22 / 05 / 2018

With the implementation of GDPR imminent, we highlight the key differences between the current position under the Data Protection Act 1998 and the new position under GDPR in respect of data subject access requests (“DSARs“).

DSARs are often used in an employment context as a tool in disputes. It is therefore important that employers get to grips with the changes that the GDPR makes to the rules on DSARs in order that they do not find themselves in breach for non-compliance after 25 May 2018.

Fee Employer is entitled to charge a maximum fee of £10. Information must be provided free of charge.

A reasonable fee can be charged if the request is manifestly unfounded or excessive. Due to the lack of guidance on this point, it is unclear how easy it will be to establish that the request is manifestly unfounded or excessive.

Scope of Request An employer is entitled to request further information from an employee to locate the personal data requested under the DSAR. No explicit right to request further information from the employee. There is a similar provision in the recitals to the GDPR which suggests, however, that an employer should be able to request that an individual specify the data sought where the employer processes a great deal of information about the individual.
Deadline for Response Employer must comply with the request “promptly” and at the latest within 40 days of receipt of the request.

This deadline can be extended to 40 days after receipt (if applicable) of all of the following: the fee, evidence to confirm identity, any information necessary to locate the information sought.

Employer must provide the information without undue delay, and in any event, within one month of receipt of the request.

Employer may extend this period by up to two months where necessary, taking into account the complexity and number of requests.

Form of Request Request must be made:

  • in writing; and
  • may be given in hard copy, personally delivered or by post, or made electronically by email or via social media.
Request must be made:

  • in writing or by email or other electronic means.

Employer should provide means for requests to be made electronically.

Format of Response No prescribed format for response but it must be in “intelligible” form. Response should be in writing, or if appropriate, by electronic means.

If the original request was made by electronic means, information should be provided in a “commonly used” electronic form, unless the employee requests otherwise. The recitals to the GDPR suggest that access should be given to a remote, online secure system so that individuals are given direct access to their personal data.

Refusal to Respond No right to refuse to respond to a request. If the request is “manifestly unfounded or excessive”, the employer may refuse the request.

Employer must give reasons for refusal and inform the employee that, if there is a dispute, the employee may complain to the Information Commissioner or apply to the Court for a compliance order.