Search

How can we help?

Icon

DSAR: Do I need to provide names if requested?

Under the General Data Protection Regulation (GDPR), in both the EU and UK versions, employees have the right to request access to their personal data from their employer called a Data Subject Access Request (DSAR).

The employee is entitled to be given a copy of their personal data together with certain information which includes information as to ‘the recipients or categories of recipients to whom data has been or will be disclosed’.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

However, this point has come up recently in the EU case of RW v. Osterreichische Post (OP)

The facts on this DSAR case

The data subject in this case made a data access request to OP. The company OP had provided general descriptions of the recipients of the data (e.g. “business customers for marketing purposes”) but the data subject did not believe this was good enough and asked OP to specifically identify the third parties that his personal data had been shared with.

The Advocate General’s opinion

The Advocate General usually gives an opinion prior to the European Court of Justice handing down its own judgment. The Judgment does typically follow the opinion but it does not have to.

In the Advocate General’s opinion, the EU GDPR requires an employer to provide information as to the specific recipients, if it is requested to do so by the employee. It recognised that the EU GDPR allows a choice between categories or specific recipients but said that this choice was for the employee to make, not the employer.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

What this means for the UK GDPR?

Firstly, this is an opinion by the Advocate General and may not be followed by the European Court of Justice at all. Secondly, this is an EU case involving interpretation of EU law (the EU GDPR) and is not, therefore, binding on the UK. However, as the UK GDPR uses the same wording it is arguable that this case could have some impact on the way the UK GDPR is interpreted.

It is unclear how specific the requirement is in this specific case, but it could be argued from this case that if an employee requests the names of those in HR who have seen his data, rather than just accepting a ‘HR’ categorisation, then an employer may need to provide it. This makes compliance with such requests even more onerous for organisations.

It will be interesting to see how this point plays out in the UK, particularly given the government’s recent consultation on data protection (including access requests) which is aimed, in part, at reducing the burdens on organisations. For further support with your data subject access requests contact our employment solicitors.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

Pub
  • 15 July 2025
  • Corporate and M&A

Preparing your professional services firm for sale

In our latest podcast, join Stuart Mullins and Nicky Goringe Larkin as they explore the complexities of valuing and preparing professional services firms for the market, whether for sale, merger, venture, or fundraising.

art
  • 15 July 2025
  • Employment

Employment law reform: UK Government launches review of parental leave and pay

On 1 July 2025, the Government announced that it would be conducting a full review of parental leave and pay, which includes maternity and paternity leave; parental leave; shared parental leave; adoption leave and others.

Pub
  • 14 July 2025
  • Privacy and Data Protection

From legislation to implementation: The Data (Use and Access) Act 2025

In this podcast, our data protection experts, Melanie Pimenta and Harry Berryman, will explain what the Act means for your organisation and how to ensure compliance with the new regulations.

art
  • 11 July 2025
  • Employment

Silenced No More: The Future of NDAs in UK Employment Law

On 8 July 2025, the government announced plans to put forward measures to ban the use of Non-Disclosure Agreements (“NDAs”) to silence employees subjected to harassment or discrimination.

art
  • 08 July 2025
  • Corporate and M&A

Share buybacks and what to do when they are void!

A share buyback is when a company purchases its own shares from a shareholder. However, for a limited company to successfully purchase its own shares, it must comply with Part 18 of the Companies Act (CA) 2006.

art
  • 07 July 2025
  • Commercial Real Estate

Climate change risks in property transactions

Climate change is starting to affect our lives to a greater extent than experienced before. Extreme weather events such as floods, droughts and heatwaves are becoming a frequent occurrence.