healthcheck-step-1 Created with Sketch. 1 image/svg+xml
Business, taken personally.

An employer’s guide to Subject Access Requests

Posted by Anna Aldred on 20th June 2023

In this scenario, a subject access request (SAR) is a request from an employee to their employer to obtain information as to whether or not personal data is being processed about them.

A trend that we have seen in practice is employees are becoming increasingly aware of their right under data protection legislation. The right which is exercised the most in the employment relationship is the right of access under Article 15, UK GDPR, and most employers will have been on the receiving end of a request.

Why make one?

An employee may be genuinely motivated by a wish to find out what data is being processed and to make sure that it is accurate. However, SAR’s are frequently made in the context of an ongoing dispute or a tribunal or court claim. Some employees may also see the administrative burden and expense to which an employer may be put as offering useful leverage in a dispute and in achieving a settlement.

When to respond?

Regardless of the motivation, when a request comes in, the employer is required to deal with it without undue delay. The legislation gives the receiver one month to comply with the request. This can be extended by up to two further months if the request is complex or there are a number of requests. The employee must have been told about this extension and the reason within one month of the original request.

What to include?

If the information/documents fall within the scope of a request, the employee is entitled to be given a copy of their personal data together with supplementary information on how the data is being processed. We find that some employers simply respond and provide copies and they believe that this is enough and they have complied with their obligations. However, this is not the case. A response needs to include this supplementary information for it to be fully compliant.


As discussed at our recent GDPR seminar, some of the challenges that employers may face when dealing with a request are:

  • How to carry out a reasonable search of the systems to find the personal data.
  • What to do if the information includes third party data.
  • How to deal with excessive and vexatious requests.
  • How do you disclose data such as CCTV imagery, which includes third party data, and it is not possible to remove third parties by using pixelation tools.
The benefits of legal professional privilege

One of the main takeaways from the session is the benefits of legal professional privilege and how correspondence to legal advisers is exempt from being disclosed in a SAR.

If you’ve received a SAR or are in need of data protection advice, speak to a member of our team.

Share this post: