What data subject access rights do employees have under the General Data Protection Regulation (GDPR)?

Employees, job applicants and other "data subjects" have the right under the General Data Protection Regulation (2016/679 EU) (GDPR) to make a data subject access request to obtain details from the employer of any personal data relating to them that it is processing. This was also the case under the previous Data Protection Act 1998 regime, but there are some changes to the rules on responding to a data subject access request under the GDPR.

The data subject has the right under the GDPR to access personal data concerning him or her and obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients or categories of recipients of the data. Under the GDPR, the employer will, in particular, have to inform the data subject of any recipients of the data in countries outside the European Economic Area. It also has to inform him or her of other information not previously required, including the envisaged retention period for the data, or the criteria used to determine that period, and of his or her rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.

Under the GDPR, employers and other data controllers must respond to a data subject access request "without undue delay" and within one month at the latest, although this can be extended by two further months where necessary, taking into account the complexity and number of requests. Under the previous rules, employers had 40 days to respond to a request.

A further change under the GDPR is that employers and other data controllers can no longer charge a fee for providing information in response to a data subject access request, unless the request is "manifestly unfounded or excessive", in particular because it is repetitive. Employers could previously charge up to £10 for responding to a data subject access request.

Under the GDPR, if an employer receives a request that is manifestly unfounded or excessive, it can charge a reasonable fee taking into account the administrative costs of responding to the request; or it can refuse to act on the request.

The GDPR states that, where the data subject makes a request by electronic means, the information "shall be provided by electronic means where possible", unless the data subject requests otherwise.