Information about Data Subject Access Request (article 15 GDPR)
What is it?
A Data Subject Access Request (DSAR) is a request addressed to the employer that gives in our case employees, former employees and/or job applicants a right to access information about and a copy of personal data the employer is processing about them and to exercise that right easily at reasonable intervals, in order to be aware of, and verify the lawfulness of the processing.
Every employee, former employee and/or job applicant has the right to know and obtain information about the purposes of personal data processing.
Can a union submit a DSAR on an employee’s behalf?
Yes! Guidance from data protection authorities states that data controllers (in our case the employers) should deal with data subjects’ duly authorised representatives if they submit DSAR’s on their behalf.
What information are employers obligated to provide in a DSAR response?
They must provide confirmation that they are processing personal data, a copy of the personal data, and other information including:
** The purpose of personal data processing
** Third-parties with whom the organization is sharing personal data if any
** Categories of personal data the organization is processing
** Source of data, (if the data is not collected from the individual)
** Data retention period or for how long will organization keep data
** Information about automated decision-making (including profiling)
** Information about the employee’s GDPR rights (right to rectification, right to erasure, restriction of processing…).
Can we make as many DSARs as we wish?
No! Be very careful here. Article 12.5 says:
“Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.”
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
– charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
– refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.