As mentioned in our previous GDPR update, the eighth update in this series will deal with the topic of mandatory breach notifications from an employment law perspective and the right of data subjects (eg, prospective, current employees and past employees) to make a data subject access request (“DSAR”) to data controllers (eg, employers) under the GDPR.
Every data subject can request that their employer provide them with a copy of all the personal data held by the employer about them. This right has existed for some time but the GDPR introduces several changes. From 25 May 2018, the number of days an employer has to comply with a DSAR will be reduced from 40 days down to one month. Therefore, it is imperative that, once an employer receives a DSAR, they deal with it immediately. This is because employers will likely have to review large volumes of information in order to identify all of the data subject’s personal data. In addition, third party data will often need to be redacted which can be very time consuming.
The one-month period may be extended by a further two months though we expect that it will be difficult for employers in the vast majority of cases to justify extending the one-month time limit.
Another GDPR change is that the requirement for an employee to provide their employer with the administrative fee of €6.35 has been removed. This means that employees can now make a DSAR completely free of charge. While this might not appear to be a significant change, the payment of the fee by cheque or bank draft was an inconvenient administrative burden for employees which may have dissuaded at least some from making a DSAR. From 25 May 2018, a DSAR can be initiated simply by an employee emailing their employer and requesting a copy of all their personal data. Employers should therefore be ready for a significant increase in such requests going forward.
An employer can only refuse to comply with a DSAR if it is:
- manifestly unfounded; or
- excessive (in particular because of the repetitive nature of requests).
Unhelpfully, the GDPR does not define “excessive” or “manifestly unfounded”.It therefore remains to be seen under what circumstances, in practice, an employer can refuse to comply with a DSAR.
It should be noted that employees are not only entitled to a copy of all their personal data but are also entitled to the following information:
- the purposes of the processing;
- the categories of personal data held by the employer;
- the recipients of the personal data;
- the envisaged storage period for the personal data (or, if this is not possible, the criteria used to determine the storage period);
- where the personal data are not collected from the employee, any available information as to their source;
- the existence of automated decision-making or profiling (including meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing).
We expect this to be one of the main areas of dispute with employees going forward, as they challenge the adequacy or validity of responses received to such requests. When responding to a DSAR, an employee should also be informed of their rights under the GDPR and the existence of their right to lodge a complaint with a supervisory authority, which would be the Data Protection Commissioner (“DPC”) in Ireland. Another new change under the GDPR is that, where the DSAR is made by electronic means (and unless otherwise requested by the employee), the information must be provided in electronic form.
When an employer receives a DSAR, they should examine the request to see if the data subject is looking for a copy of all their personal data or if only certain personal information is being requested. As mentioned above, a data subject is entitled to a copy of all their personal data, and in our experience they will just look for everything. That being said, they may only be concerned with a particular set of data. For example, an employee with a specific grievance will be much more concerned with the personal data relating to that grievance. Similarly, a person employed with a company for 20 years may simply wish to obtain a copy of the information relating to issues that have come up in the last year or two. In order therefore to reduce the administrative burden and significant potential cost of responding to a DSAR, we would encourage employers to proactively look to narrow the scope of the request with the employee as soon as the DSAR is received. This is because there is nothing stopping an employer from asking the question: “is there something in particular that you are looking for?” Again in our experience, not enough employers take this opportunity, which could save them significant time and cost. If the data subject reverts however and requests a copy of all their personal data then they are entitled to a copy of it.
In summary, DSARs will likely give rise to considerable time and cost burdens for employers, with limited scope to refuse the requests. Adopting strict data retention policies and deleting older data where possible can help reduce administrative burdens, as there will be less information for employers to provide to data subjects. That being said, in most cases, it will not be possible to avoid DSARs. Employers should therefore analyse their systems and work practices in order to see how they can respond to DSARs in the most efficient manner possible.
In our next article, we will examine in more detail the topic of mandatory breach notifications and the new notification requirements under the GDPR.