Search

How can we help?

Icon

DSAR: Do I need to provide names if requested?

Under the General Data Protection Regulation (GDPR), in both the EU and UK versions, employees have the right to request access to their personal data from their employer called a Data Subject Access Request (DSAR).

The employee is entitled to be given a copy of their personal data together with certain information which includes information as to ‘the recipients or categories of recipients to whom data has been or will be disclosed’.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

However, this point has come up recently in the EU case of RW v. Osterreichische Post (OP)

The facts on this DSAR case

The data subject in this case made a data access request to OP. The company OP had provided general descriptions of the recipients of the data (e.g. “business customers for marketing purposes”) but the data subject did not believe this was good enough and asked OP to specifically identify the third parties that his personal data had been shared with.

The Advocate General’s opinion

The Advocate General usually gives an opinion prior to the European Court of Justice handing down its own judgment. The Judgment does typically follow the opinion but it does not have to.

In the Advocate General’s opinion, the EU GDPR requires an employer to provide information as to the specific recipients, if it is requested to do so by the employee. It recognised that the EU GDPR allows a choice between categories or specific recipients but said that this choice was for the employee to make, not the employer.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

What this means for the UK GDPR?

Firstly, this is an opinion by the Advocate General and may not be followed by the European Court of Justice at all. Secondly, this is an EU case involving interpretation of EU law (the EU GDPR) and is not, therefore, binding on the UK. However, as the UK GDPR uses the same wording it is arguable that this case could have some impact on the way the UK GDPR is interpreted.

It is unclear how specific the requirement is in this specific case, but it could be argued from this case that if an employee requests the names of those in HR who have seen his data, rather than just accepting a ‘HR’ categorisation, then an employer may need to provide it. This makes compliance with such requests even more onerous for organisations.

It will be interesting to see how this point plays out in the UK, particularly given the government’s recent consultation on data protection (including access requests) which is aimed, in part, at reducing the burdens on organisations. For further support with your data subject access requests contact our employment solicitors.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 22 January 2025
  • Corporate and M&A

Deal Announcement: Clarkslegal’s Corporate team advise founder on exit from Bristol based hospitality business

Clarkslegal is pleased to have advised the exiting shareholder and director of a hospitality business in the South West on the sale of their shareholding and termination of their employment.

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 20 January 2025
  • Immigration

Navigating the ETA scheme: A Guide for Travellers to the UK

Here’s a summary of the most significant changes in UK immigration in 2024 and what we can expect in the year to come.

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

art
  • 14 January 2025
  • Employment

Is this the end of working from home?

In this article, we explore what legal rights employees and businesses have in this context as well as considering more commercial factors.

art
  • 13 January 2025
  • Litigation and dispute resolution

Looking ahead to Dispute Resolution in 2025

2025 is shaping up to be a busy year with  a number of important changes due to be implemented by new legislation. In this article we take a look at a few of the changes affecting litigation and Dispute Resolution.