Home / News and Events / Latest News / Managing a Data Subject Access Request

Managing a Data Subject Access Request


The scope of a Data Subject Access Requests (DSAR) is wide ranging and has become a staple action point in the itinerary of an employee embarking on a contentious internal or external legal process with their employer.

Under the above EU legislation, Employees have the right to get a copy of any personal data which an organisation holds on them. Employees also have the right to find out if their personal data is being processed.

If an Employee’s personal data is being stored or used (processed), they have the right to know:

  • The reason why it is being processed
  • Where the personal data came from
  • Who your personal data will be shared with
  • How long your personal data will be kept
  • The categories of personal data being processed
  • How to exercise your data protection rights

Finally, Employees have a right to make a complaint to the Data Protection Commissioner should they see fit.

Special Category Data

Some personal data is very sensitive and special rules apply to this information. These special categories include information that reveals any of the following:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health
  • Any biometric information (for example, your fingerprints) or genetic data
  • Sexual orientation or sex life

The processing of this information is only allowed where the employee has given their explicit consent or where the information is absolutely necessary to meet other legal requirements. For example, you may have to inform an Employer of nationality to show that they have the legal status to work or perhaps require a visa.

Article 15 – EU GDPR
“Right of access by the data subject”

Article 15 of the GDPR allows an employee to seek confirmation from their employer that personal data relating to them is processed by the employer. However, the real crux of this article from an employer’s perspective is it must provide a copy of the personal data undergoing processing to the employee making the DSAR. Article 15 brought in for Data subjects to self govern what data is held in relation to them. The request must be in writing – email is sufficient. It is not advisable for Employer to question motives as to why the request has arisen

When a DASR is received

It is good practice to write to the employee at the earliest opportunity to:

  • Confirm receipt of the DSAR
  • Request further clarification on the request
  • Seek confirmation of identity, if necessary
  • Propose the scope of the reply and seek the employee’s agreement
  • Indicate when the request is likely to be responded to


Processing the Request as the Data Controller

Initial considerations on receiving the request

  • Data Protection Officer should be advised
  • Refine Scope
  • Plan for timeframe inline with legislation (1 month)
  • If the request is complex or involves a large amount of information, the data controller can extend the time to respond by a further two months. Employee should receive a written explanation for any extension within the initial one-month period.
  • Protection of personal data from destruction from this day forward
  • There is no longer a fee involved in the administration of the request

Reasonable Searches

  • Identify custodians – processing activities
  • Keyword searches – use Employee name and Employee Number if applicable

Information to be provided when responding to the Request

Entitled to confirmation is personal data being processed and if so:

  • Why their personal data is being used
  • The types of personal data held
  • How long the Data Subject’s personal data will be stored
  • If you have or will be transferring personal data to a third party
  • Where restrictions are applied.

Applying Redactions


When can you restrict the exercise of a Data Subject Request

A data controller can refuse access to some or all of the requested data where:

  • Providing personal data has an impact on the rights of others
  • The personal data is listed with the personal data of others (In these cases, the data controller may remove the personal data of others to provide you with your data)
  • The personal data is in a document that has trade secrets, confidential information or intellectual
  • The request is considered ‘manifestly unfounded or excessive’ (for example, if you made a request in the recent past and were told that the data controller had no personal data relating to the specific Data Request)

By law, access to your personal data may also be refused in relation to processing carried out:

  • For electoral purposes, such as publishing a roll of electors
  • By the Electoral Commission
  • In the administration of tax and duties
  • To safeguard Cabinet confidentiality
  • When defending legal claims

These exceptions are listed in Section 60 of the Data Protection Act 2018.

How are complaints made regarding ?

If the employee is not satisfied with the DSAR response, it is open to them to file a complaint with the DPC that the employer did not properly respond to the DSAR.Complete the DPC’s online complaint form. The complainant will be asked to provide evidence to support their complaint. This includes:

  • Evidence of their access request
  • Correspondence between the complainant (or your legal representative) and the data controller and
  • information in support of their belief that the data controller holds your personal Information

Deceased people

  • In Ireland, GDPR rules for the processing of personal data do not generally apply to those who have died. Access may be possible under Freedom of Information laws.


The Right to be Forgotten

Everyone no matter their role  has the right to have their data erased, without undue delay, if one of the following grounds applies:

  • Where their personal data is no longer necessary in relation to the purpose for which it was collected or processed.
  • Where they withdraw your consent to the processing and there is no other lawful basis for processing the data.
  • Where they object to the processing and there is no overriding legitimate grounds for continuing the processing
  • Where they object to the processing and your personal data is being processed for direct marketing purposes
  • Where their personal data has been unlawfully processed.
  • Where their personal data has to be erased in order to comply with a legal obligation.
  • Where their personal data has been collected in relation to the offer of ‘information society services’ (for example, social media) to a child.

The Right to be Forgotten does not override National Legislation under any circumstances.

Good practice to conduct an annual review of how your department holds data using a Data/Record Retention Schedule. ISME’s Record Retention Schedule can be found on the ISME HR Hub.