Respond to a subject access request from an employee under the GDPR
- Employees (and other data subjects) have the right to request copies of the personal data that an employer holds about them.
- The rules for replying to a subject access request under the General Data Protection Regulation (GDPR) differ from those under the previous data protection regime, for example the timescale for responding to a request is shorter under the GDPR. The GDPR came into force on 25 May 2018.
- The employer must provide additional information about how it processes the employee's personal data, including for how long it will hold the data (or how the retention period is calculated).
- Where the employee makes the request electronically, the employer should provide the information in an electronic format.