How employers should prepare for data subject access requests
Published on 24th May 2022
New European Data Protection Board guidelines on data requests mean employers will need to get up to speed on obligations
Data subject access requests (DSARs) often arise in the course of a termination of employment or a grievance procedure. A failure to respond to DSARs can leave businesses open to a higher level of administrative fines under the General Data Protection Regulation (GDPR): €20 million or up to 4% of annual global turnover. The European Data Protection Board (EDPB) recently issued new guidelines on the rights of data subjects to access their data. It is, therefore, essential for employers to understand their obligations when dealing with employees' DSARs and prepare accordingly.
What is subject to DSAR?
Personal data that can be requested by employees in DSAR procedures covers not only basic personal data like name, address and phone number but also an unlimited broad variety of data that may fall within this definition. This may include the employee's personal files, emails, correspondence and phone records (which relate to them specifically), pay rises, and new job assignments.
Also, subjective information is personal data "in the form of opinion and assessments, provided that it relates to the data subject". For example, an individual who has a job interview with a company may hand over a CV and application letter, which both encompass personal data. The summary of the interview, including the subjective comments of the interviewer on the behaviour of the individual during the job interview also encompasses personal data and needs to be provided by the employer if the individual makes a request to access the data the employer holds about him.
Wording, scope and form of request
An employee can simply request all personal data held about them and does not have the obligation to make a specific DSAR. However, where an employer processes a large amount of data concerning the requesting data subject such that providing all personal data would create an "overflow of information" that the data subject cannot effectively handle, the employer may request the data subject to specify the scope of the request and identify the specific information or processing related to the request before delivering the information.
Data controllers can receive DSARs through any number of communication channels. The EDPB confirms that a controller is not obliged to act on requests sent to “a random or incorrect email (or postal) address, not directly provided by the controller, or to any communication channel that is clearly not intended to receive requests concerning data subject’s right, if the controller has provided an appropriate communication channel, that can be used by the data subject.” This point applies only to requests sent to communication channels where the data subject cannot reasonably expect that it is the appropriate contact address for such requests. As a result, it is recommended that a preferred method of contact is made clear to employees to ensure that DSARs are received by the appropriate members of staff.
How should an employer respond?
The GDPR obliges the DSARs are sometimes used by employees to obtain information when going through grievances or in advance of mounting a claim; regardless, the employer's approach must be the same. The employer must facilitate the exercise of the subject access right by taking reasonable efforts. For example, an employer might find himself in the situation where a DSAR is sent to an employee on leave. The employer could set an automated message informing the requesting employee about an alternative communication channel for its data request.
The employer must also disclose the requested information to data subjects in a "concise, transparent, intelligible and easily accessible form using clear and plain language." Accordingly, if the personal data provided is complex and difficult to understand (such as raw data or machine-readable code), employers may need to provide additional information so that it makes sense in a "human readable format." For example, if the requested data is stored in hundreds of pages of log files, employers may need to take additional measures to facilitate the understanding of the log files in addition to just providing the log files.
When should the employer respond to the request?
Many controllers take the full three months, as permitted by the GDPR, in order to comply with access requests. The EDPB, however, emphasises that the default timeframe is one month, and any extension by a further two months “is an exemption from the general rule and should not be overused.” Also, the mere fact that complying with the request would require a great effort does not make a request complex and that "if controllers often find themselves forced to extend the time limit, it could be an indication of a need to further develop their DSAR procedures."
Therefore, it is recommended to employers to respond within one month and use the time extension in exceptional circumstances only. What constitutes a complex request varies depending upon the specific circumstances of each case. The EDBP has emphasised that the mere fact the request will take "great effort" is not necessarily sufficient. Also, when using this time extension, it is recommended to still respond within the first month to acknowledge receipt of the DSAR.
Given the tight timeframe for responding to DSARs, employers should have procedures in place to facilitate DSARs being efficiently identified and subsequently funnelled to the relevant staff member to have a response ready as soon as possible, which may require data protection training for staff members.
When reviewing the data requested by the employee, the employer may find that it contains personal data belonging to another employee or a third party. In such a case, a careful balancing exercise should be carried out by the employer as to the employee’s request and any third-party competing rights (for example, the right to confidentiality of email correspondence).
The EDPB points out, however, that those considerations should not be a refusal to provide all information to the data subject and that controllers should try to reconcile as much as possible the conflicting rights. In other words, the employer could not simply shelter behind the confidentiality obligation without actually making a real assessment of the situation. Only after a step-by step analysis of the risks and where reconciliation is impossible should the employer determine which of the competing rights and freedoms prevails. The employer could, for example, reconcile both rights in a reasonable manner by making the personal data of the employee unreadable by anonymising the data or deleting the personal data before handing over the copy to the requesting employee.