Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: FAQs on employee DSARs - what you need to know

The right of access is enshrined in Article 15 of the General Data Protection Regulation (GDPR). An employee data subject access request (DSAR) is when an employee asks for all the information relating to them which their employer, as the data controller, holds. In this Insight article, OneTrust DataGuidance asks some key questions on employee DSARs, with answers provided by Laura De and Laura Brodahl, from Wilson Sonsini Goodrich & Rosati, Axel Anderl, from DORDA Rechtsanwälte GmbH, Chantal Van Dam, from Hogan Lovells, and Dr. Jessica Jacobi, from KLIEMT.HR Lawyers.

FatCamera/E+ via Getty Images

Laura and Laura, how should companies assess whether a DSAR coming from an employee is vexatious or bad-spirited?

Since the entry into force of the GDPR in 2018, companies have experienced an increase in DSARs from current and former employees, seeking access to their personal data. Such DSARs can be connected to contentious situations, making them challenging for companies to manage, for example, where a DSAR is used as a way to put pressure on an employer in an employment dispute. Such requests typically cover personal data processed over long periods of time and often involve substantial volumes of data managed by diverse entities (e.g., HR files spanning several years). Recognizing a 'vexatious' or 'bad-spirited' request can be straightforward in some cases based on the tone or content of the message. Examples include inappropriate or offensive language, as well as threats against or comments about other employees or the company. The message may also reference specific events or explicitly ask to receive particular types of data, such as reports from performance reviews, grievance hearings, or interactions with other employees (e.g., specific colleagues or managers).

However, in many cases, determining the nature of a request may be less apparent from the message itself. In such cases, it is important to consider the broader context in which the DSAR is submitted or the history between the company and the requestor. This may involve factors such as recent employee evaluations or termination of employment, workplace accidents, or denied opportunities or services. In all cases, the company will need to carefully assess how to respond to the DSAR and ascertain if there are legitimate grounds to refuse to grant the request under applicable data protection laws. The exemption grounds that companies can rely on may vary depending on national court case law and decisions from data protection authorities.

And how should companies balance the duty of confidentiality with a DSAR?

Companies should assess whether the information they intend to disclose in response to a DSAR is subject to a confidentiality obligation. A duty of confidentiality can arise in various situations. For example, the requested data may not only relate to the requester but also to another individual (such as another employee, family member, or customer). For instance, if an employee requests a copy of a human resources file, it may contain information about colleagues who contributed to or are discussed in that file (e.g., details on medical, legal, financial, or trade union matters). The information may also be business sensitive (e.g., trade secrets, confidential information about customers, or sensitive information about internal processes). For example, if an individual requests information about a decision made by the company, the decision may reveal information about the functioning of company products or services.

In such cases, the company may be prohibited from sharing such information with the requester and need to redact it. This means companies must carefully balance a requester's right of access with the rights and interests of third parties.

Axel, many employee DSARs appear to be submitted to challenge wider HR processes, such as grievance or disciplinaries. What are some best practices for employers handling such DSARs from employees?

First of all, an upfront detailed set of information on any potential internal investigations, screenings, and compliance issues should be contained in employees' privacy notice. This is simply professional and also massively lowers the risk of an immediate notice to an employee being needed in case of a future action by the employer. In doing so, the employer gains more time to decide when and how to inform involved employees in case of ongoing investigations.

However, it goes without saying that affected employees may use their rights according to Article 15 et seq. of the GDPR in order to receive information on wider HR processes. As long as there is no clear legal justification to withhold such information – e.g., due to the EU Whistleblower Protection Directive – the employer needs to respond within one month. Nonetheless, in case any other employees, such as witnesses or whistleblowers, are involved, their personal data needs to be blackened. This also covers related indicators that would reveal their identity (like function, position etc.). In our experience, this can also be validly argued in case of pending proceedings with the competent supervisory authority. As a result, a detailed balancing of interests needs to be conducted and documented to explore whether the rights of the requesting employee or the interests of any other involved colleague are overriding.

Chantal, how should employers deal with requests from employees who ask for access to all their personal data, and refuse to narrow down the scope?

In the Netherlands, employees have the right to request an overview of all their personal data processed by their employer. This overview should enable the employee to ascertain that their personal data is accurate and lawfully processed. Dutch law does not provide for any additional exemptions to the right to access specific to the employer-employee relationship. The general exemptions provided in the GDPR apply, for instance, in case of excessive requests or requests that adversely impact the rights and freedoms of other individuals.

While employers may ask employees to narrow the scope of their access request, an employee is not obliged to limit or specify the reason for the request. An unlimited access request of an employee will generally not qualify as an excessive request, which means that employers will need to provide a full overview of all personal data processed. However, actual documents or copies of documents that contain personal data do not have to be provided. Employers also generally do not have to disclose internal correspondence or internal notes. Employers can, however, be obliged to provide a copy of a document if such a copy is indispensable to allow the employee to effectively exercise their privacy rights. For instance, if such documents also contain factual and valuation data about the employee's characteristics or behavior, which data does not always lend itself well to inclusion in a general overview.

We see in practice that many employees submit DSARs as leverage during labor disputes and settlement agreement negotiations. Even when these requests and disputes are dealt with to the satisfaction of both parties, employers need to be mindful that employees may submit a complaint to the Dutch data protection authority (AP) at any time. The AP is required to investigate every complaint and uses such complaints often to further investigate the privacy compliance framework of companies.

Jessica, DSARS may be submitted for purposes of litigation, usually by solicitors. Do you consider this against the fundamental purposes of DSAR and in abuse of process?

Since the implementation of the GDPR in 2018, we have seen a growing amount of DSARs in Germany, both in the civil law processes and with my own firm's specialization in employment law. In most cases of employment litigation, this is a mixed motivation at best:

  • One aspect is to simply cause a lot of work on the employer side, to make a profitable settlement more likely. Unfortunately, the European Data Protection Board in its 2022 guidance on DSARs1 states very clearly that the data subject does not need to give reasons for the access request. So, it is a rare case that a DSAR can be rejected as being excessive. It is, however, common practice in the face of a DSAR that is not limited with regard to topics, time frame or custodians to do a reasonable search, limiting the time frame, or limiting the search to certain relevant topics.
  • The other motivation sometimes is to find out about information that may be relevant during the ongoing employment law dispute, which is usually about whether a termination is enforceable. As opposed to Anglo-Saxon law, German law as a civil law country do not have pre-trial discovery. Being forced by a DSAR to provide the plaintiff with internal information is a structural breach of that principle. Employers need to evaluate to what extent they can defend themselves against the DSAR by arguing that the information potentially touches third-party interests. Case law is still developing on that aspect. But it is clear that confidential information about other persons does not need to be disclosed (so it is protected by redacting or extracting). Also, internal tactical discussions and internal exchange with the legal department or external legal counsel should not be disclosed, arguing that this would go it against the interest of the employer's company.

It is advisable to properly document the legal approach taken when evaluating what information can be disclosed. Although guidance and case law from the German data protection authorities (DPAs) is still rare with regards to DSARS, the answer to a DSAR can easily trigger a complaint with the DPA, in which case the authority usually is forced to become active.

We also see an increasing amount of case law of plaintiffs demanding the payment of damages based on the delayed or inaccurate answer to their DSAR. So far, German case law is fairly moderate in the amounts that are being awarded to those plaintiffs, with amounts of roughly €1,000.

Victoria Prescott Editorial Team Lead
[email protected]

With comments provided by:

Laura De Boel Partner
[email protected]
Laura Brodahl Senior Associate
[email protected]
Wilson Sonsini Goodrich & Rosati, Brussels

Axel Anderl Managing Partner
[email protected]
DORDA Rechtsanwälte GmbH, Vienna

Chantal Van Dam Counsel
[email protected]
Hogan Lovells, Amsterdam

Dr. Jessica Jacobi Partner
[email protected]
KLIEMT.HR Lawyers, Berlin


1. The finalized guidelines can be accessed here: https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf