Respond to a subject access request from an employee under the GDPR

Key points

  • Employees (and other data subjects) have the right to request copies of the personal data that an employer holds about them.
  • The rules for replying to a subject access request under the General Data Protection Regulation (GDPR) differ from those under the previous data protection regime, for example the timescale for responding to a request is shorter under the GDPR.
  • The employer must provide additional information about how it processes the employee's personal data, including for how long it will hold the data (or how the retention period is calculated).
  • Where the employee makes the request electronically, the employer should provide the information in an electronic format.

XpertHR resources