GDPR Subject Access Requests
I have received a subject access request asking for “all” personal data from a current employee. How do I deal with this?
Under the Data Protection Act 2018, individuals can make a Subject Access Request (SAR) to their employer to access their personal data. Employers should have an accessible policy to deal with such requests.
Usually, the designated Data Protection Officer or Compliance Officer is the person that will respond to the request. Once you receive the SAR, you will have a month to respond. Normally SARs do not incur a cost, however, if the request is repetitive, excessive or manifestly unfounded the employer may request a reasonable fee.
The data subject should be informed:
- Whether or not their data is processed and the reasons for the processing of their data;
- The categories of personal data concerning them;
- Where their data has been collected from if it was not collected from them;
- Anyone who their personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
- How long their data is kept for (or how that period is decided);
- Their rights in relation to data rectification, erasure, restriction of and objection to processing;
- Their right to complain to the Office of the Data Protection Commissioner if they are of the opinion that their rights have been infringed;
- The reasoning behind any automated decisions taken about them.
An employer may refuse to deal with a request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed.
Where this is the case, the data subject should be informed that their request cannot be complied with and an explanation of the reason will need to be provided.
If you have any questions in relation to subject access requests, please contact the advice line on 1890 252 923Back to the blog
- @GraphiteHRM20 Apr
#Employers that are found to have penalised an employee for making a protected disclosure face stiff penalties, inc… t.co/j51pk5v6AtView Summary
- @GraphiteHRM19 Apr
Better health in older age is leading to longer working lives. An ageing #IrishWorkforce and the increase in stat… t.co/suxg4oUU1VView Summary
- @GraphiteHRM18 Apr
A #HR audit from Graphite will uncover any weaknesses in your policies & procedures that need to be addressed! Ge… t.co/vYyr5r8VM5View Summary
- @GraphiteHRM17 Apr
#QuestionOfTheMonth Easter is coming up, which leaves some employers wondering, what are part-time employees’ publ… t.co/9qcSG3EE96View Summary
- Go to Twitter