Summary: Welcome to the second post in our ‘GDPR HR Issues’ blog series. Drawing on key insights from across Bryan Cave Leighton Paisner’s global Employment & Labor team, the series highlights key GDPR issues affecting employers.
With the General Data Protection Regulation (‘GDPR’) coming into effect today, employers with EU-based staff need to ensure that they properly comply with the new regime. Failure to do so can result in significant fines and disruption to your business.
This blog focuses on the changes made by GDPR to a fundamental data protection right – an employee’s right to find out what information their employer holds on them by making a data subject access request (‘DSAR’).
Complying with a DSAR can involve a lot of work and significant cost, not least because the request may require the employer to search in many different places for the employee information, which by its nature may not be held in a clearly structured way. For example, an employee could ask for details of email discussions that others in the organisation have had about them over a long time period, which could require doing extensive searches of various email accounts. In some jurisdictions it is common for employees who are in dispute with their employer to use DSARs to obtain early disclosure of information that they can use in their dispute, or simply to put pressure on the employer. An employer cannot normally refuse to provide the information, unless an exception applies. A common exception in this context is where disclosing the information adversely affects the rights and freedoms of others, for example, where the information also contains details about another co-worker.
1. What information is an employee entitled to when they make a DSAR?
An employee making a DSAR has the right to be told:
- whether the employer is processing information about them;
- if so, to be given a copy of their employee information, together with various details, including why the employer is processing the information, the types of information, the recipients to whom the information has or will be disclosed (including internationally), how long the information will be stored, the source of the information, and details of any automated decision-making;
- their rights to ask to rectify, erase or restrict employer use of the employee information, and the right to complain to a data protection authority; and
- where information is transferred outside the EEA, details on any safeguards regarding that overseas transfer.
2. How quickly must we deal with a DSAR?
Under GDPR you have to comply with the request without undue delay, and in any event within one month. Where the request is complex, for example because it requires searching substantial quantities of information across many different systems, you can extend the deadline by a further 2 months. If that is the case, you must inform the employee that you will be taking more time to respond within one month of receipt of the request.
3. Can we charge employees for the cost of dealing with their DSAR?
No. The default position is that the information must be provided free of charge. However, employers may charge a reasonable fee for the administrative costs of complying, if the employee’s request is manifestly unfounded or excessive, for example if the employee asks for further copies of the same information. In practice, employers should consider engaging with the employee to discuss and manage the scope of the DSAR, before making such charges.
4. How should we provide the information?
If the employee makes the request electronically, you should provide the information in a commonly used electronic portable format. However, the employee can ask for it to be provided in an alternative format, such as paper copies.
5. What's the worst that can happen if we don't comply with a DSAR?
Fines for an employer’s failure to comply with a DSAR fall within the category of more serious GDPR breaches, for which employers can be fined up to 20 million Euros or, if higher, 4% of worldwide annual turnover.
Given the potential complexity and demands of complying with a DSAR, employers may wish to consider having an internal policy or procedure to help them manage the DSAR process and prove compliance. Note that this is not strictly required. Employers who do not anticipate many DSARs may choose not to adopt one. Employers will always be able to prove compliance by keeping records of requests and responses. We would however recommend at least that employers communicate within their organisation that written requests, submitted via any channel (for example email, text or letter), by an employee or by a third party on behalf of the employee, be passed on to HR (or the team tasked with dealing with DSARs) as soon as possible, so that the employer may respond in a timely fashion.