It is a well-established principle that an employee is entitled to request details of personal data which his or her employer holds through the submission of a data subject access request (DSAR). On first read, a DSAR will often seem fairly-straightforward in terms of the information which is being requested however, an employer can encounter unforeseen practical difficulties when embarking upon the collation exercise.
A common question that employers face is whether, when a DSAR requests that certain employees’ email inboxes should be searched for the purposes of obtaining their personal data, it is necessary to inform those individuals or obtain their consent prior to the search being conducted.
The problem in this scenario is fairly obvious insofar as accessing the employees’ emails may also involve the processing of their personal data and therefore there is an argument to say that the employer must comply with the data protection principles under the GDPR and as such, the employer could seek the consent of the employees concerned. That said, given the issues with relying solely on sent under the GDPR (the main issue being that consent can be freely withdrawn at any time), the employer may instead choose to rely on one of the other conditions under Article 6 of the GDPR to justify the data processing. The most “suitable” option is likely to be compliance with a legal obligation but an employer could also possibly look to rely on the “legitimate interests” justification.
Whichever lawful basis for processing is relied on, the employer has an obligation under the GDPR to provide certain information about the processing. The employer could check whether this has already been provided to the relevant employees, perhaps through a policy document which says that employers may retrieve messages in order to comply with a legal obligation. If the employer has not provided information previously, then it will need to consider how best to do so and in any event, may wish to provide some information to the employees for example, not deleting relevant emails or, creating new emails about the data subject.
GDPR and data protection related issues can be complex and if you are faced with this type of situation or, require support with any related issues then please contact a member of our Employment Team on 01274 864999 who will be able to assist.