How to manage a subject access request (GDPR compliant)

/, HR News/How to manage a subject access request (GDPR compliant)

How to manage a subject access request (GDPR compliant)

2018-07-24T11:16:20+00:00 July 24th, 2018|All, HR News|

Individuals have rights of access in relation to the personal data that you hold on them. A request for such information is called a ‘subject access request’. There is no restriction on the scope of data that can be requested, although the request must be made in relation to an individual’s personal data, including special categories of personal data.

Subject access requests must be made in writing, although it may be a reasonable adjustment to accept a verbal request where the individual making the request is disabled. No reason for seeking the information must also be given for a request to be valid.

If a subject request is made on behalf of an individual by a third party, you also must ensure that the third party is entitled to act on the individual’s behalf by requiring them to provide evidence of this.

Upon receiving a request you should:

  • ensure that the data requested is personal data relating to the employee.
  • ensure that the employee is specific regarding the data they wish to have access to. You can request for it to be more specific.
  • ask an individual to verify their identity if you have reasonable doubts over the identity of the employee.
  • ensure the information is provided free of charge, although if the request is “manifestly unfounded or excessive, particularly if it is repetitive” or where further requests of the same information are made, then a reasonable fee may be charged.

The information must be provided without delay, and at the latest within one month of receipt of the request. However, where requests are complex or numerous, you may extend the normal one month maximum time limit by a further two months. Where you decide to use the extension, you must inform the employee within one month of receipt of the request and give reasons for the extension.

You must send a copy of the personal data in writing to the employee along with the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom data has been or will be disclosed, the period during which personal data will be retained, information on the source of the data, information regarding complaints and disputes: the right to complain to a supervisory authority, the right to request rectification or erasure of personal data, to object to processing of data or to restrict that processing and where personal data is transferred outside the EEA, information on any safeguards.

If you require further support on this subject, please contact our team of HR Consultants at aspire cambridge today on 01223 855441.