What data subject access rights do employees have under the UK GDPR?
Employees, job applicants and other "data subjects" have the right under the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR) to make a data subject access request to obtain details from the employer of any personal data relating to them that it is processing.
The data subject has the right to access personal data concerning them and obtain information about it, including the purposes for which it is being processed, the categories of personal data concerned and any recipients or categories of recipients of the data. It must also inform them of other information, including the envisaged retention period for the data, or the criteria used to determine that period, and their rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.
Employers and other data controllers must respond to a data subject access request "without undue delay" and within one month at the latest, although this can be extended by two further months where necessary, taking into account the complexity and number of requests.
Under the UK GDPR, if an employer receives a request that is manifestly unfounded or excessive, it can charge a reasonable fee taking into account the administrative costs of responding to the request; or it can refuse to act on the request.
The UK GDPR states that, where the data subject makes a request by electronic means, the information "shall be provided by electronic means where possible", unless the data subject requests otherwise.