Under Article 15 of the General Data Protection Regulation (GDPR), individuals have the right to request a copy of any of their personal data processed by their employer (the “controller”) – commonly referred to as making a data subject access request (DSAR). DSARs made to employers are increasingly common, especially when used as a precursor to litigation or negotiating an exit package.

The Data Protection Commission (the Irish supervisory authority for the GDPR) has recently published some helpful FAQs on how an employer is obliged to respond to a DSAR. Although this is guidance and has been issued by the Irish supervisory authority, it follows the principles of the GDPR so should prove useful to controllers across all EU jurisdictions.

If you’re an employer, don’t get caught out. Your privacy policy and internal procedures might stipulate how DSARs should be made and responded to, but just because an employee has not followed your internal protocol, it doesn’t mean you’re off the hook.

Read on to make sure you don’t fall foul of some of the most common misconceptions about DSARs.

Myth #1 – Special conditions must be met before an individual can make a valid DSAR

Individuals can make a DSAR to anyone who is processing or who they think might be processing their personal data (which will almost always apply in an employment context). There are no other formal requirements for a DSAR to be valid. Provided the request is sufficiently clear for you to act on, you have to respond – even if that means informing the individual that you cannot act because the request is too complex, unfounded or excessive (which will only apply in very limited circumstances).

If the request is not sufficiently clear or too broad, in most cases it’s reasonable for the employer to at least initially clarify and/or seek agreement to narrow down the request to satisfy their own legal obligations. An unreasonable outright refusal to comply with a DSAR is unlikely to be well regarded by data regulators.

Myth #2 – A DSAR must be made in writing

An individual does not have to submit a DSAR in writing and is entitled to make a request verbally. Where a DSAR is made over the phone or in person, the employer should note down the relevant details of that DSAR (such as the date and time it was made, the individual concerned and the specific details of the request). It is important to keep an adequate paper-trail of communications, not only to avoid misunderstandings but also in case of a dispute over your deadline to respond to the DSAR.

Myth #3 – When an employer provides a standard or online form for making a DSAR, the individual must use that form or their request is invalid

Employers are encouraged to provide a standard form for individuals to make a DSAR; it streamlines a request and also helps the individual understand what information they need to provide. However, failure to use this form does not preclude an employer’s obligation to respond to the DSAR. And as we’ve seen in Myth #2, a DSAR doesn’t have to be made in writing.

Myth #4 – DSARs must be submitted to the employer’s designated individual (e.g. the data protection officer)

A valid DSAR can be made to any member of staff. Even if your data privacy policy designates a person to receive DSARs (which is encouraged to make DSARs more efficient) it is not mandatory for an employee to contact that designated person. Where a DSAR is submitted to another member of staff, they should ideally forward it to the designated person to help the process run smoothly – ensuring the employee is copied in so they know who is handling their request.

Myth #5 – Individuals have to provide proof of ID before an employer can respond to a DSAR

You should only request proof of the individual’s identity where it’s reasonable and proportionate to do so. If an individual is requesting particularly sensitive data or there are reasonable doubts about their identity, requesting proof of identity might be appropriate. However, such a request should be the exception, not the norm.

Myth #6 – Employers can respond to a DSAR at any time

You must respond to a valid DSAR without undue delay and at the latest within one month of receiving a request. An employer can only extend the time to respond by up to two months in particularly complex cases. Although there’s little guidance on what might be considered “complex” for DSAR purposes, in an employment context it might be because the employer has to process numerous different sets of information about an employee, across numerous entities.

Myth #7 – An employer can charge the individual for responding to a DSAR

An employer can ask an individual to pay for a DSAR only in limited circumstances, for example if the request is manifestly unfounded or excessive. If, as an employer, you can prove this is the case, you can charge a ‘reasonable fee’ for the admin costs of complying with the request.

If you would like any advice on DSARs or to find out more and to discuss your requirements, please get in touch with Razia Begum or Rachel Ashwood. Or for more information about our HR Data Protection and GDPR Toolkit, click here.