UK and EU GDPR for HR | Summer 2025

Welcome to the summer edition of our GDPR for HR newsletter featuring the latest updates, cases and insights on data privacy.

In this edition we look at the following:

• Data (Use and Access) Act
• Black employees at highest risk of work surveillance
• "Excessive" subject access requests
• ICO Employment Records Guidance

Data (Use and Access) Act: what employers need to know

The Data (Use and Access) Act, which received Royal Assent on 19 June, is the latest reform legislation that amends but does not replace the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.

A small number of provisions of the UK data reform packet are now in force, with the remainder expected to follow via secondary legislation over the coming months.

The Information Commissioner's Office (ICO) has published guidance on the Data Use and Access Act and what the changes mean for organisations and employers.

Data subject access requests

ICO guidance and case law already dictates that data controllers are only obliged to carry out "reasonable and proportionate" searches to locate information in response to subject access requests. This limitation is now replicated within sections 75-78 and 104 of the DUAA.

The new provision is now in force but should not be problematic for employers, as it simply confirms the current position. Employers should be looking out for updated guidance on the right of access, which the ICO has committed to publishing this summer.

Complaints procedures

Employers will also be considering the steps to take to help people who want to make complaints about how their personal information is used. This is covered by section 164 of the DUAA and includes having clear accessible complaints-handling procedures, providing an electronic complaints form, acknowledging complaints within 30 days and responding with an outcome "without undue delay".   

There is no implementation date as yet for the new obligations regarding complaints. However, prudent employers will be taking steps to implement these practices and procedures sooner rather than later, with the measures helping to support trust and confidence in businesses' data handling operations.

Automated decision-making

Subject to meaningful human oversight and other appropriate safeguards, section 80, schedule 6 of the DUAA permits wider use of automated decision-making. Employers will potentially be able to rely on any of the lawful bases for this type of processing, with the exception of new "recognised legitimate interests". 

Previously, automated decision-making could only be used with consent or where it was necessary for performance of a contract or permitted by law. This amendment should broaden the scope for use of automated decision-making; for example, within the context of recruitment, performance management and disciplinary action. 

Employers will, however, need to be transparent and provide employees with a mechanism by which to challenge automated decisions. The position in respect of special category data remains unchanged, with more protections in place. There is no date as yet for implementation of these changes; in the meantime, employers are only permitted to use automated decision-making on the current more restricted basis.

New 'recognised legitimate interests’ lawful basis

When personal data is used for specified "recognised legitimate interests", employers will potentially be able to rely on this new additional basis as detailed in section 70, schedule 4 of the DUAA. Where applicable, employers will still need to demonstrate that processing of personal data is necessary but, unlike the existing "legitimate interests" basis, there will be no requirement to balance the impact on the people whose personal information is used against the benefits arising from that use – for example, when protecting public security. As with most of the other reforms, this new lawful basis is not yet in force and employers must wait until it is before relying on this change.

While the changes are due to come into force, employers can keep up to date with the wider implications of the reforms for organisations and the regulatory outlook for data law.

Back to top

Black employees are at highest risk of work surveillance, IPPR reports

The Institute for Public Policy Research (IPPR) has suggested in a recent report that workplace surveillance disproportionately affects black employees.

The IPPR report indicates that workers in low-autonomy, low-skill and non-trade union jobs are at a significantly higher risk of surveillance. Black workers are more likely to be in low-autonomy (26 per cent) and low-skill (42 per cent) roles, while almost three quarters (73 per cent) are not members of a trade union and, consequently, more likely to be at risk of being subjected to surveillance compared to other ethnic groups.

Productivity and inequality

Although workplace surveillance aims to improve productivity and ensure compliance with policies, it may inadvertently deepen existing inequalities in the UK labour market by infringing employee rights and undermining wellbeing.

Many employers utilise advanced technologies such as facial recognition, biometric tracking, and tools that monitor everything from keystrokes to workers' emotional states, often without employee consent. This can damage the trust and respect of employers if not carried out appropriately and transparently.

IPPR recommendations

The IPPR recommends the implementation of new laws to give employees a say over surveillance and algorithmic management.

These include new legal rights to consultation before introducing surveillance technologies and adding surveillance as a statutory subject of collective bargaining.

It also recommends that transparency requirements compel employers to disclose what data is collected, why and how it will be used. Strong enforcement mechanisms could include tribunal access and financial penalties for breaches.

Privacy impact assessments

The report serves as a reminder to employers who are considering introducing or reviewing existing employee monitoring practices that it is crucial to undertake a privacy impact assessment to ensure the monitoring is reasonable, proportionate and necessary.

This type of risk assessment should consider justification for the proposed monitoring in relation to individual roles rather than in general terms. For example, there may be greater justification for monitoring manual labour jobs where productivity is considered critical.

However, a risk assessment should also consider alternative, less intrusive monitoring methods to foster productivity, such as setting clear goals, proving autonomy and focusing on employee engagement and performance.

Rights protection 

If personal data processing is likely to result in a high risk to employees' rights and freedoms, employers are required by UK GDPR to conduct a Data Privacy Impact Assessment (DPIA): a more comprehensive form a risk assessment that must address specific processing considerations.

The IPPR report has shed light on how monitoring practices in some job roles can disproportionately impact ethnic minorities. However, the process of carrying out a DPIA, if done correctly, can help employers to identify and address proactively any monitoring practices that have potentially discriminatory consequences – and thereby support and protect the rights of ethnic minority employees.

Back to top

'Excessive' subject access requests: when to say no or to charge a fee

A recent Court of Justice of the European Union (CJEU) ruling in relation to the Austrian Data Protection Authority (DPA) and excessive requests (C-416/23) considered a case involving an individual who complained to the authority on 77 occasions within a 20-month period between 2018-2020.

The individual's complaints related to various data controllers who had not responded within the one-month time period to his requests for erasure and access/SARs. The DPA had refused to act, arguing the number of complaints which the individual had submitted was "excessive". 

CJEU guidance on 'excessive'

The CJEU confirmed that article 57(4) of the GDPR entitles data protection authorities to charge a reasonable fee or refuse to act in respect of "excessive" complaints. However, there is no definition of "excessive" or a threshold for the number of complaints which, if exceeded, automatically indicates excessiveness.

The CJEU provided guidance on the meaning of "excessive". Although the case related to handling of complaints by a DPA, the CJEU confirmed the same principles should be applied by data controllers who seek to demonstrate that an individual's request to exercise data rights is "excessive" under article 12(15) of the GDPR and to refuse to act or charge a reasonable fee on this basis. 

Can an employer refuse a request?

In short, very rarely. Employers will often ask if they can refuse to act upon a subject access request on the basis that it is very wide or that multiple requests have been received. And this might be seen by some as a tempting strategy to evade the heavy burden of complying with such requests.

However, the judgment makes clear that there will be very limited circumstances in which a request to exercise data rights will be "excessive" such that the data controller can justify charging a reasonable fee or refusing to act.

It also makes clear that the number or scale of requests would not, in itself, equate to "excessiveness", although it might form part of the evidence.

Moreover, the burden is on the employer to demonstrate abusive intentions behind the requests; for example, that the purpose of the request was not related to protection of data rights under GDPR but to disrupt the functioning of the data controller by swamping it with requests.

Even if an employer can demonstrate abusive intent, they must also show that charging a reasonable fee or refusal to act was reasonable, proportionate, appropriate and necessary in all the circumstances.

Osborne Clarke has a team dedicated to handling employment-related subject access requests, ranging from strategic advice on specific aspects of responding to requests to end-to-end services where we carry out the entire process on behalf of clients. Learn more about our DSAR management offering on our GDPR for HR page.

Back to top

ICO issues new guidance on keeping employment records

HR teams routinely process employees' personal information but ensuring compliance with data protection laws can be tricky.

The Information Commissioner's Office (ICO) has recently published new guidance to help employers to better understand their data protection obligations when keeping employment records.

The guidance offers clarification on retention periods, as well as reminding employers of the importance of transparency with employees about processing activities, of facilitating data subject rights – such as the right of access, deletion and correction – and data security.

Retention practices checklist

• Employers need to be able to justify how long they keep employees' personal information.
• Different retention periods should apply to different types of personal information. The ICO advises employers not to take a 'one-size-fits-all' approach.
• HR teams should set up and regularly review retention policies to ensure employees' data is not kept longer than necessary.
• Retention considerations should apply to all types of employment relationships (employees, contractors, volunteers, and gig or platform workers) as well as circumstances where there is a service relationship between an organisation and a person who performs work for it, regardless of the nature of the contract.

Have a quick read of our GDPR for HR flyer to understand how we can assist your business to manage risk and compliance in relation to the topics covered in this newsletter or any other employment related data protection query.

Back to top