Data Subject Access Requests and Updated Employee Data Protection Policy

February 2018

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and, this month, Simply-Docs has added a number of documents on dealing with subject access requests under the GDPR. A subject access request is a request for information that an organisation may hold about an individual and such requests are often made in the context of actual or potential employment-related grievances or litigation. 

Under the GDPR, individuals (including employees, workers, contractors and job applicants) have the right to obtain confirmation from their employer as to whether or not the employer processes personal data relating to them.

If the employer does process personal data, it must provide the individual with access to the data, including a copy of the personal data. Specifically, the employer must advise the employee on:

  • whether or not the employee's personal data is being processed;
  • the purposes of the processing and the categories of personal data concerned; 
  • the recipients to whom the data has been or will be disclosed;
  • how long the data will be stored, or how that period is determined;
  • the employee's rights in relation to the rectification or erasure of data, the restriction of processing and how to object to processing;
  • the employee's right to lodge a complaint with the supervisory authority;
  • any third-party sources of the data, where this information is available; and
  • information about the logic involved in any automated decision-making, if applicable.

The company is also required to provide the employee with a copy of the personal data undergoing processing.

The Simply-Docs suite of documents includes an Employee's Subject Access Request Form – GDPR Compliant, which individuals can use to make a data subject access request. However, employers should be aware that requests do not have to be made in this format and they should still respond to requests that are made by, say, email.

Employers are not required to comply with a subject access request if they cannot identify the individual. If an employer has doubts about the identity of a data subject, they may request further information (e.g. certified copy of a passport or driving licence) in order to confirm the individual’s identity.

Under the Data Protection Act (DPA), employers had 40 days in which to respond to a subject access request. Under the GDPR, the employer should provide the requested information to the individual at the earliest opportunity and certainly within one month of receipt of the request. If the request is particularly complex, the employer can extend the response period by two months. In those circumstances, the employer must inform the individual of any such extensions within one month of receipt of the request along with the reasons for the delay. If an employee makes a data subject access request, the employer will have to provide a copy of the individual’s data free of charge. If, however, the request is excessive or unfounded, a ‘reasonable’ fee will be chargeable in order to cover the administrative costs of complying with the request.

One of the key concerns for businesses in respect of the GDPR is the power of the Information Commissioner’s Office (ICO) to levy fines and take action against any organisation that breaches the GDPR. Under the DPA, the maximum fine the ICO is entitled to levy against a data controller that breaches the legislation is £500,000. Under the GDPR, the ICO can impose fines of up to 20 million euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors.

Our Employee Data Protection Policy has been updated this month for compatibility with the GDPR. As an employer, you will collect, hold, and process personal data about your employees. For the purposes of the GDPR, this renders you a “data controller” and thus subject to the GDPR’s wide-ranging requirements.

Key updates and improvements to this Policy template include detailed coverage of the rights of data subjects under the GDPR, and the obligations of the business as a whole. As this document is designed to assist businesses in preparing for GDPR compliance, it is high in detail, reproducing a number of important provisions from the GDPR itself, thus providing an important source of information to employers and employees alike.

More GDPR compliant documents will be released by Simply-Docs in the upcoming weeks to put your business in the best possible position to comply with requirements of the GDPR.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top