What data subject access rights will employees have under the General Data Protection Regulation (GDPR)?
Employees, job applicants and other "data subjects" currently have the right under the Data Protection Act 1998 to make a data subject access request to obtain details from the employer of any personal data relating to them that it is processing. This will continue to be the case under the General Data Protection Regulation (GDPR), but there are some changes to the rules on responding to a data subject access request.
As is the case now, the data subject will have the right under the GDPR to access personal data concerning him or her and obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients or categories of recipients of the data. Under the GDPR, the employer will, in particular, have to inform the data subject of any recipients of the data in countries outside the European Economic Area. It will also have to inform him or her of other information not currently required, including the envisaged retention period for the data, or the criteria used to determine that period, and of his or her rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.
Under the GDPR, employers and other data controllers must respond to a data subject access request "without undue delay" and within one month at the latest, although this can be extended by two further months where necessary, taking into account the complexity and number of requests. Under the current rules, employers have 40 days to respond to a request.
A further change under the GDPR is that employers and other data controllers will no longer be able to charge a fee for providing information in response to a data subject access request, unless the request is "manifestly unfounded or excessive", in particular because it is repetitive. Employers can currently charge up to £10 for responding to a data subject access request.
Under the GDPR, if an employer receives a request that is manifestly unfounded or excessive, it can charge a reasonable fee taking into account the administrative costs of responding to the request; or it can refuse to act on the request.
The GDPR states that, where the data subject makes a request by electronic means, the information "shall be provided by electronic means where possible", unless the data subject requests otherwise.
The GDPR will come into effect on 25 May 2018.