What data subject access rights do employees have under the General Data Protection Regulation (GDPR)?

Employees, job applicants and other "data subjects" have the right under the General Data Protection Regulation (2016/679 EU) (GDPR) to make a data subject access request to obtain details from the employer of any personal data relating to them that it is processing.

The data subject has the right to access personal data concerning them and obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients or categories of recipients of the data. In particular, the employer has to inform the data subject of any recipients of the data in countries outside the European Economic Area. It must also inform them of other information, including the envisaged retention period for the data, or the criteria used to determine that period, and their rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.

Employers and other data controllers must respond to a data subject access request "without undue delay" and within one month at the latest, although this can be extended by two further months where necessary, taking into account the complexity and number of requests.

Employers and other data controllers can no longer charge a fee for providing information in response to a data subject access request, unless the request is "manifestly unfounded or excessive", in particular because it is repetitive. Employers could previously charge up to £10 for responding to a data subject access request under the Data Protection 1998 regime.

Under the GDPR, if an employer receives a request that is manifestly unfounded or excessive, it can charge a reasonable fee taking into account the administrative costs of responding to the request; or it can refuse to act on the request.

The GDPR states that, where the data subject makes a request by electronic means, the information "shall be provided by electronic means where possible", unless the data subject requests otherwise.