Data protection



Employment law- Data protection

The GDPR (General Data Protection Regulation) came into force on 25 May 2018. The Regulation replaced the old Data Protection Act and is concerned with respecting your rights as individuals when processing your personal information.

The regulation contains 6 principles:

1.Personal data should be processed fairly, lawfully and in a transparent manner.
2.Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
3.The data should be adequate, relevant and not excessive.
4.The data should be accurate and where necessary kept up to date.
5.Data should not be kept for longer than necessary.
6.Data should be kept secure.

What are my rights as an employee?

The GDPR requires your employer to provide you with a privacy notice. This will outline the legal reasoning and justification for the collection and processing of your data. The privacy notice must include;

-the identity and contact details of your employer as the data controller;
-the data protection officer contact details ;
-the purposes for which the data is being collected and the legal reasoning for processing;
-where the legal basis for processing is the legitimate interests of the employer or a third party, the legitimate interests relied on;
-the recipients, or categories of recipients, of the data, if any;
-details of any sharing  of the data outside the European Economic Area and the appropriate procedures in place;
-the period for which the data will be stored,
-the data subject’s rights to request access to, correction or deletion of data; to request restriction of processing; or to object to processing;
-the right to data portability;
-the right to withdraw consent at any time;
-the right to lodge a complaint;

What is considered personal data under the GDPR?

Personal data is data that relates to an identified or identifiable individual and is:

-processed electronically.
-kept in a filing system (manually or otherwise).
-part of an accessible record, for example an education record.
-held by a public authority.

This includes data that does not name an individual but could potentially identify them, for example a payroll or staff number. Any personal data your employer has in their possession will also be subject to the Regulation. For example, your manager may have a written copy of contact details for your team.

Accessing your personal information- a subject access request

As an employee, you have the right to request the data that your employers holds about you.

There is no prescribed format for a valid subject access request, although your employer can provide a form to assist you with making a request and to streamline the process for responding to the request. You do not have to use particular language, or state that you are making a subject access request. It just has to be clear that you are asking for copies of your personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid subject access request.

What are the time limits for your employer to respond to a subject access request?

Your employer must respond to a subject access request ‘without undue delay and in any event within one month of receipt of the request.’

Your employer is, however, allowed to extend the deadline by up to two months (so up to three months in total) where requests are particularly ‘complex or numerous.’ If this is the case, you must receive notification by your employer within one month of making your request as to why an extension is necessary.

The burden of determining whether a request will be considered ‘complex’ is on your employer. As long as they can provide good reasons for the delay, it is generally considered unlikely that a challenge can be made.

Is there a fee to make a subject access request, and can my employer refuse to comply with the request?

The information must generally be provided free of charge, however employers may charge a ‘reasonable’ fee if the request is ‘manifestly excessive or unfounded, particularly if it is repetitive.’ Any such fee must be based on the administrative costs involved of retrieving the information.

In addition, employers can also now refuse to respond to unwarranted requests, although your employer would need to explain why, and also inform you of your right to complain to the supervisory authority without undue delay. It will usually be difficult for employers to justify why a subject access request cannot be met.

Job applicants

An employer may retain personal information provided by job applicants during the recruitment process, for example, keeping an applicant’s CV on file in case any further vacancies arise in the future. The GDPR states that personal data should not be kept for longer than is necessary for the particular purpose for which it is being retained, so it would seem that such information should be deleted after a reasonable period of time.

The regulations also require an employer to inform job applicants why their data is being processed and exactly what data they will process. Alongside this, a job applicant must be told who will have access to their data and the necessary protective measures that are in place for the sharing of the job applicants data. The employer will also need to outline the rights a job applicant has regarding their data; (these are the same as detailed above.)

Former employees

Employers can retain personal data relating to former employees only if one of the legal reasonings for processing still applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the Regulations would be that it is necessary for compliance with a legal obligation. However, an employer could rely on this legal basis only for the retention of pay data relevant to that  specific purpose-they would not allow for the retention of the former employee’s entire personnel file.

Employers must have a system in place for identifying data that should be kept about former employees, identifying the purpose and legal reasoning for retaining it, determining for how long it should be kept and ensuring that it is deleted thoroughly after the relevant period.

Former employees can request that the employer delete personal data it holds about them. The employer must comply with the request if the data is no longer necessary with regards to the purposes for which it was collected and processed.

Home page

About us

Employment Law FAQs

Contact Form

  • This field is for validation purposes and should be left unchanged.