Request Received STEP ONE
Assess nature and timing of the request
How was the request made? If a request is submitted electronically, the information must be provided in electronic form unless otherwise requested by the data subject.
When was the request made? An employer must respond to an access request without delay and within one month of receipt of the request.
Can a fee be charged? Under the GDPR, employers may no longer charge fees for responding to data access requests unless the request is manifestly unfounded or excessive, in which case a "reasonable fee" may be charged.
Is the request complex/are there multiple requests? The response period may be extended by two further months in these circumstances the data subject must be informed of the extension. Employers should be able to demonstrate why an extension is required.
Start to gather additional information The following additional information must be provided when completing data access requests: the purposes of the processing, the categories of personal data
concerned, the recipients/categories of recipient
to whom personal data have been or will be disclosed, the envisaged storage period of the data; and the existence of data subject rights of rectification, objection, erasure, restriction.
STEP TWO Assess content of the request
Should data be provided as part of an access request? If a data access request is refused, reasons for such refusal must be provided within one month of the data of the request. A data subject may also challenge the basis on which
certain data is not provided if a data access request is partially responded to. Employers should carefully review the data to be provided before making a decision.
Is the data personal data? Personal data is information related to an identified or identifiable person. The data must relate to the data subject.
Will providing the data adversely affect the rights and freedoms of others?
Does legal privilege apply?
Is the request manifestly unfounded or excessive? An employer may refuse to act on the request in these circumstances. The onus of demonstrating the manifestly unfounded or excessive character of the request is on the employer, and it is expected that this will be interpreted strictly.
2 | ARTHUR COX
GDPR FOR EMPLOYERS: DATA ACCESS REQUEST PROCESS MAP
STEP THREE Provide response to access request to data
If a data subject feels that the response does not satisfy their right to access, they may seek to invoke remedies under the GDPR
Complaint to Data Protection Commission May result in administrative sanctions imposed against the employer of up to 20 million or 4% of total worldwide annual turnover in the previous financial year.
Judicial Remedy May result in the High Court or Circuit Court granting injunctive or declaratory relief or compensation for material and non-material damage suffered by the employee.
For further information please speak to your usual Arthur Cox contact or any member of the team:
LOUISE O'BYRNE PARTNER +353 1 920 1185 firstname.lastname@example.org
TECHNOLOGY AND INNOVATION GROUP
RACHEL BARRY ASSOCIATE
+353 1 920 1281 email@example.com
SALLY DOYLE ASSOCIATE
+353 1 920 1785 firstname.lastname@example.org
ROB CORBET PARTNER +353 1 920 1211 email@example.com
COLIN ROONEY PARTNER
+353 1 920 1194 firstname.lastname@example.org
Dublin +353 1 920 1000 email@example.com
Belfast +44 28 9023 0007 firstname.lastname@example.org
London +44 207 832 0200 email@example.com
New York +1 212 782 3294 firstname.lastname@example.org
HUGH MCCARTHY ASSOCIATE +353 1 920 1324 email@example.com
Silicon Valley +1 650 943 2330 firstname.lastname@example.org