Search

How can we help?

Icon

DSAR: Do I need to provide names if requested?

Under the General Data Protection Regulation (GDPR), in both the EU and UK versions, employees have the right to request access to their personal data from their employer called a Data Subject Access Request (DSAR).

The employee is entitled to be given a copy of their personal data together with certain information which includes information as to ‘the recipients or categories of recipients to whom data has been or will be disclosed’.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

However, this point has come up recently in the EU case of RW v. Osterreichische Post (OP)

The facts on this DSAR case

The data subject in this case made a data access request to OP. The company OP had provided general descriptions of the recipients of the data (e.g. “business customers for marketing purposes”) but the data subject did not believe this was good enough and asked OP to specifically identify the third parties that his personal data had been shared with.

The Advocate General’s opinion

The Advocate General usually gives an opinion prior to the European Court of Justice handing down its own judgment. The Judgment does typically follow the opinion but it does not have to.

In the Advocate General’s opinion, the EU GDPR requires an employer to provide information as to the specific recipients, if it is requested to do so by the employee. It recognised that the EU GDPR allows a choice between categories or specific recipients but said that this choice was for the employee to make, not the employer.

Many employers when responding to such requests prefer to provide the ‘categories of recipients’ rather than specific names and, as such, may refer to groups such as ‘business contacts’ or ‘HR’.

What this means for the UK GDPR?

Firstly, this is an opinion by the Advocate General and may not be followed by the European Court of Justice at all. Secondly, this is an EU case involving interpretation of EU law (the EU GDPR) and is not, therefore, binding on the UK. However, as the UK GDPR uses the same wording it is arguable that this case could have some impact on the way the UK GDPR is interpreted.

It is unclear how specific the requirement is in this specific case, but it could be argued from this case that if an employee requests the names of those in HR who have seen his data, rather than just accepting a ‘HR’ categorisation, then an employer may need to provide it. This makes compliance with such requests even more onerous for organisations.

It will be interesting to see how this point plays out in the UK, particularly given the government’s recent consultation on data protection (including access requests) which is aimed, in part, at reducing the burdens on organisations. For further support with your data subject access requests contact our employment solicitors.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 18 March 2024
  • Privacy and Data Protection

Consent or pay: Issues and considerations, Meta’s potential breach

The ICO has stated that any organisation considering using “consent or pay” must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed.

art
  • 14 March 2024
  • Employment

The impact of technology-dependent Gen Z on the workplace – Amanda Glover writes for Business Voice magazine

In Business Voice magazine, Amanda Glover, Associate at Clarkslegal writes about the impact of Gen Z sharing details of their work woes on social media and how organisations should respond.

art
  • 13 March 2024
  • Privacy and Data Protection

21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

art
  • 08 March 2024
  • Employment

The Labour Party proposes extensions to discrimination law

With a general election to come in 2024, it is vital that employers keep up to speed with the proposals of both major parties that are likely to affect the day-to-day operation of their business. 

art
  • 07 March 2024
  • Litigation and dispute resolution

What to expect from 2024 in Dispute Resolution

Now that two months of the year have passed, what changes might be expected in Dispute Resolution during the remainder of 2024?

art
  • 06 March 2024
  • Privacy and Data Protection

Personal Data Breaches – How do I deal with them?

This article will provide an overview of the steps to take when experiencing a personal data breach.