Search

How can we help?

Icon

DSAR: Do I need to provide names if requested?

Under the General Data Protection Regulation (GDPR), in both the EU and UK versions, employees have the right to request access to their personal data from their employer called a Data Subject Access Request (DSAR).

The employee is entitled to be given a copy of their personal data together with certain information which includes information as to ‘the recipients or categories of recipients to whom data has been or will be disclosed’.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

However, this point has come up recently in the EU case of RW v. Osterreichische Post (OP)

The facts on this DSAR case

The data subject in this case made a data access request to OP. The company OP had provided general descriptions of the recipients of the data (e.g. “business customers for marketing purposes”) but the data subject did not believe this was good enough and asked OP to specifically identify the third parties that his personal data had been shared with.

The Advocate General’s opinion

The Advocate General usually gives an opinion prior to the European Court of Justice handing down its own judgment. The Judgment does typically follow the opinion but it does not have to.

In the Advocate General’s opinion, the EU GDPR requires an employer to provide information as to the specific recipients, if it is requested to do so by the employee. It recognised that the EU GDPR allows a choice between categories or specific recipients but said that this choice was for the employee to make, not the employer.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

What this means for the UK GDPR?

Firstly, this is an opinion by the Advocate General and may not be followed by the European Court of Justice at all. Secondly, this is an EU case involving interpretation of EU law (the EU GDPR) and is not, therefore, binding on the UK. However, as the UK GDPR uses the same wording it is arguable that this case could have some impact on the way the UK GDPR is interpreted.

It is unclear how specific the requirement is in this specific case, but it could be argued from this case that if an employee requests the names of those in HR who have seen his data, rather than just accepting a ‘HR’ categorisation, then an employer may need to provide it. This makes compliance with such requests even more onerous for organisations.

It will be interesting to see how this point plays out in the UK, particularly given the government’s recent consultation on data protection (including access requests) which is aimed, in part, at reducing the burdens on organisations. For further support with your data subject access requests contact our employment solicitors.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 22 February 2024
  • Employment

Time to take the heat off menopausal women

On 22 February 2024, the EHRC released guidance and resources for employers designed to help employers understand their legal obligations in relation to supporting workers experiencing menopausal symptoms.

Pub
  • 22 February 2024
  • Employment

Talking Employment Law: What to do if you’re at risk of redundancy

In this podcast, Harry Berryman and Rebecca Dowle, members of the employment team, will talk through the steps that need to be taken for a redundancy to be fair and the range of criteria that can be used when determining which employees will be made redundant.

art
  • 21 February 2024
  • Immigration

FAQs Partner Visa UK

Discover the UK Spouse Visa: eligibility, finances, relationship criteria, and the latest updates in 2024 for a successful application.

art
  • 19 February 2024
  • Privacy and Data Protection

The role of Data Protection Officers in ensuring compliance

How many of us receive marketing calls for products and services we did not sign up for?

art
  • 12 February 2024
  • Employment

The World of Work in 2024- What Can HR Expect?

In many senses, 2024 is unlikely to be a year with radical ruptures from those that have gone before it. The significance of 2024 though, is that it is likely to build upon those megatrends impacting the world of work, which have been emerging for some time now and are only likely to strengthen as we move on in time.

art
  • 09 February 2024
  • Privacy and Data Protection

Are we suffering from cookie fatigue?

An over-indulgence in Easter treats might not be the only cookie fatigue that individuals will suffer this year according to the Information Commissioners Office (ICO).