Respond to a subject access request from an employee under the GDPR

Key points

  • Employees (and other data subjects) have the right to request copies of the personal data that an employer holds about them.
  • The employer must respond to a subject access request within the timescale set out under the General Data Protection Regulation (GDPR), providing information about how it processes the employee's personal data, including for how long it will hold the data (or how the retention period is calculated).
  • Where the employee makes the request electronically, the employer should provide the information in an electronic format.

XpertHR resources