DSAR: Do I need to provide names if requested?

Under the General Data Protection Regulation (GDPR), in both the EU and UK versions, employees have the right to request access to their personal data from their employer called a Data Subject Access Request (DSAR).

The employee is entitled to be given a copy of their personal data together with certain information which includes information as to ‘the recipients or categories of recipients to whom data has been or will be disclosed’.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

However, this point has come up recently in the EU case of RW v. Osterreichische Post (OP)

The facts on this DSAR case

The data subject in this case made a data access request to OP. The company OP had provided general descriptions of the recipients of the data (e.g. “business customers for marketing purposes”) but the data subject did not believe this was good enough and asked OP to specifically identify the third parties that his personal data had been shared with.

The Advocate General’s opinion

The Advocate General usually gives an opinion prior to the European Court of Justice handing down its own judgment. The Judgment does typically follow the opinion but it does not have to.

In the Advocate General’s opinion, the EU GDPR requires an employer to provide information as to the specific recipients, if it is requested to do so by the employee. It recognised that the EU GDPR allows a choice between categories or specific recipients but said that this choice was for the employee to make, not the employer.

What this means for the UK GDPR?

Firstly, this is an opinion by the Advocate General and may not be followed by the European Court of Justice at all. Secondly, this is an EU case involving interpretation of EU law (the EU GDPR) and is not, therefore, binding on the UK. However, as the UK GDPR uses the same wording it is arguable that this case could have some impact on the way the UK GDPR is interpreted.

It is unclear how specific the requirement is in this specific case, but it could be argued from this case that if an employee requests the names of those in HR who have seen his data, rather than just accepting a ‘HR’ categorisation, then an employer may need to provide it. This makes compliance with such requests even more onerous for organisations.

It will be interesting to see how this point plays out in the UK, particularly given the government’s recent consultation on data protection (including access requests) which is aimed, in part, at reducing the burdens on organisations. For further support with your data subject access requests contact our employment solicitors.