How to Handle Data Subject Access Requests from Employees & Ex-Employees?

It’s been over four years since the European Union’s General Data Protection Regulation (GDPR) came into effect. Since its enactment, the renowned data privacy law has revolutionized the data privacy landscape worldwide, as many global data privacy laws are based on the framework set up by the EU’s GDPR.

The GDPR allows EU residents to control how their personal data is processed by granting them several rights with respect to their personal data, including the right to access their personal data.

Like the GDPR, the California Consumer Privacy Act (CCPA), and its amendment, the California Privacy Rights Act (CPRA) also provides consumers with data subject access rights and several other rights. These rights ensure that customers have sufficient control over how their personal data is collected, stored, processed, protected, or sold to other parties.

Responding to DSARs from employees or ex-employees is challenging for employers because employees' personal data, such as their internal and external communications, emails, and other details, are frequently stored in unstructured data assets.

Consequently, employers need dedicated resources and tools to discover and analyze data to find relevant information specific to an employee who has requested a DSAR while ensuring the utmost data confidentiality of other employees.

The employer's failure to comply with a request as per the applicable privacy law and as per the stipulated time frame within the law can have substantial consequences for an organization, even though the requests may sometimes seem burdensome.

What Does the GDPR Say About DSARs by Employees?

Under the GDPR, data subjects have the right to access their personal data processed by the data controller. This includes the right to obtain confirmation from the data controller whether personal data about them is being processed and receive a copy of their personal data processed by the controller. This right can be exercised by the data subject by making a request to the data controller.

The GDPR protects all natural persons, including employees. Employers as data controllers are required to fulfill the DSARs of their employees within the same stipulated deadline of 30 days. This article provides a guide to employers on how they can handle DSARs in compliance with the provisions of the GDPR.

Data subjects in the workplace can be present employees, former employees, or even job candidates. They all can be qualified as data subjects under the GDPR.

What Should be the Scope of the Response of a DSAR?

Under the GDPR, all individuals have the right to inquire about what personal information an organization may have about them and to request a copy of that information, as well as other supplemental information. In response to a DSAR, the employer must provide the following information to the requesting employee:

• The purposes of the processing,
• The categories of personal data,
• The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations,
• Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
• The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing or to object to such processing,
• The right to lodge a complaint with a supervisory authority,
• Where the personal data is not collected from the data subject, any available information as to the source,
• The existence of automated decision-making including profiling and meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the data subject.

In addition to providing the above information, the employer has the following obligations in connection to a DSAR:

• Where personal data is transferred to a third country or an international organization, the data subject should be informed of the appropriate safeguards relating to the transfer.
• Where possible, the employer should be able to provide remote access to a secure system that would provide the data subject with direct access to his or her personal data.
• Where the employer processes a large quantity of information, it should be able to request from the data subject, before the information is delivered to the data subject, to specify the information or processing activities to which the DSAR relates.

The employer's obligation to abide by a DSAR applies to any personal data about the individual their organization has on record. Any information kept about employees may qualify as personal data for DSAR purposes as long as the employees can be identified and the information relates to them specifically.

However, the employer is required to share only those information, including messages or email conversations with the requesting individual whose content relates to the requesting individual. This means that where the individual’s name is only mentioned and the overall content does not relate to him/her, the employer must respond that it has identified the individual's name on this many numbers of messages/emails without disclosing the content of those messages/emails.

In addition, the employer is generally obliged to search for personal data throughout all systems. However, due to a large quantity of information, the employer has the possibility under the GDPR to request the data subject to specify the information he/she wants to access. This will allow the employer to narrow down the search. This has been clarified in Recital 63 of the GDPR.

Information should be provided to the data subject in writing, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally if the data subject's identity is proven by other means.

Are there any Charges for a DSAR Under GDPR?

As per Article 12(5) of the GDPR, information to the requesting data subject should be provided free of charge.

However, when a data subject makes requests that are manifestly unfounded or excessive, especially given their recurrent nature, the data controller may charge a reasonable fee considering the administrative expenses incurred in delivering the information.

Response Time for a DSAR Under GDPR

As per Article 12(3) of the GDPR, the data controller must provide the information to the data subject without undue delay and, in any case, within one month of receiving the request. Depending on the complexity of the request and the number of requests by the data subject, the response time frame may be extended to two further months.

However, the data controller must notify the data subject of any such extension of the timeline along with the reasons for the delay and the data subject’s right to lodge a complaint with a supervisory authority and seek a judicial remedy within one month of receipt of the request. The information should be conveyed electronically if the data subject submits a request using an electronic form unless the data subject specifies otherwise.

Can the Employer Refuse to Honor the DSAR Under GDPR?

An employer may decline to give all or part of the requested information if an exemption applies as per the national applicable data privacy law.

As per the GDPR, the data subject’s right to obtain a copy of personal data must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and, in particular, the copyright protecting the software. This means in response to a DSAR, employers must not disclose third-party data.

Employers must not disclose personal data belonging to a third party without taking consent from third parties due to the impact on the rights and freedoms of third persons. In such a case, employers must provide only as much information as possible after leaving out or redacting, or rendering illegible those parts that have third-party information or parts that may have negative effects on the rights and freedoms of others.

However, having third-party information should not be the ground for the complete refusal of an access request. The employer must respond with as much information as possible without disclosing third-party data.

The GDPR also allows member states to have their own restrictions while responding to data subjects’ requests. For example, a member state law could say that controllers are not obliged to provide information that is held for management forecasting or management planning (information about promotion, transfer of employees, etc.). Therefore, employers must carefully check the requirements of the national provisions and take note of any specific conditions that may apply within domestic law.

The data controllers must record reasons for any refusal to a DSAR in order to be able to demonstrate compliance. Moreover, reasons for refusal of the DSAR must be recorded and communicated to the individual diligently and clearly.

What Actions Can an Employee Take if the Employer Does Not Respond?

If the data controller does not respond to an employee’s DSAR or only gives them a part of what they have requested and the employee believes they should receive more details, the employee can take several actions, such as:

• Lodge an official complaint with the relevant supervisory authority.
• Write an application to the court alleging a violation of the subject access request and requesting the court to ensure compliance.
• Make an official claim for compensation and, if the employee can prove that they were harmed, a claim for damages against their employer.

Learn more about employee data under GDPR.

What Does the CPRA Say About DSAR?

Data Subject Access Requests (DSAR) were a crucial component of the privacy protections provided by the California Consumer Privacy Act (CCPA) when it was passed in 2019. By law, organizations must swiftly respond to these demands by collecting and providing the required information related to the collection and processing of personal information to the consumer or provide reasons for refusing to honor the request.

However, under the CCPA, only consumers could submit DSARs, and current and former employees, including job applicants, could not. This is because, as per CCPA Section 1798.145(h), personal information collected by businesses within an employment context was exempt from CCPA protections (apart from providing former and current employees and job applicants with a notice at the point of collection of personal information as per CCPA Section 1798.100 and the quantum of damages a business is liable to pay for a breach incident caused by its unreasonable security practices). However, this exemption is set to expire on January 1st, 2023. From this date, the CPRA amendments come into effect, and thus all the DSAR protections under CPRA will now be available to former and current employees and job applicants in California.

Learn more about CPRA Employee Data Obligations.

How to Receive DSARs Under CPRA

As per CPRA Draft Regulations § 7020:

• A business that operates exclusively online and has a direct relationship with an employee or job seeker from whom it collects personal information shall only be required to provide an email address for submitting DSARs;
• Other businesses shall provide two or more designated methods for submitting requests, such as a designated email address, a form submitted in person, and a form submitted through the mail, etc.;
• A business shall consider the methods by which it primarily interacts with its employees and job seekers when determining which methods to provide for submitting requests;
• If employees and job seekers submit a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business is liable to treat it as if it had been submitted correctly or provide the consumer with information on how to submit the request correctly.

What is the Response Time for a DSAR Under CPRA?

For the organization to avoid possible fines and penalties, a response is required within 45 days. An extension is permitted of up to 90 days where necessary, but the consumer must be informed as to the reasons why the extension in time was necessary. As per the draft CPRA Regulations § 7021, the business must acknowledge receipt of a verified DSAR within a time period of 10 days.

What Information Should be Provided in a DSAR Under CPRA?

As an employer operating in California or doing business there, if you receive a DSAR from a current or former employee or a job applicant, you may be asked to disclose specific pieces of personal information or information on categories of personal information collected and processed by you.

Businesses are required to provide all the personal information they have collected and maintained about former and current employees and job seekers, including personal information collected and maintained pursuant to a written contract, on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort or the consumer requests data for a specific time period.

In case you are required to disclose specific pieces of personal information, you should note that as per draft CPRA Regulations:

• A business shall not disclose a consumer’s Social Security number, driver’s license number, or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions, and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. It shall only inform the consumer with sufficient particularity that it has collected the type of information.
• If a business denies a consumer’s verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law or an exception to the CPRA, the business shall inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.

In case you are required to disclose information on categories of personal information collected by you as an employer, you must disclose:

• The categories of personal information collected;
• The categories of sources;
• The business or commercial purposes for collecting or selling the information;
• The categories of third parties with whom the business shares personal information;
• The categories of personal information sold and the categories of third parties to whom the personal information was sold;
• The categories of personal information that the business disclosed for a business purpose and the categories of third parties to whom the personal information was disclosed to.

Other Requirements to be Fulfilled to Honor a DSAR Under CPRA

As an employer, if an employee asks for their personal data, the CPRA mandates organizations to:

• Verify the identity of the requestor to see if they have any information on the person and to decide whether to grant access to the data,
• Accept requests from authorized representatives of the employee/job-seeker,
• Understand the nature of the request to determine if they can meet the DSAR within the 45-day window,
• Identify the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information, in a manner that provides employees and job seekers a meaningful understanding of the categories listed.

Fines for Not Honoring DSAR Under CPRA

Given that there are more than 40 million residents of California, CCPA's compliance had a broad impact, and so will compliance with the CPRA. This is because most organizations' databases will contain at least a few Californians, and as a result, they will be subject to the CCPA/CPRA.

Additionally, the CPRA imposes $2,500 for every unintentional violation and $7,500 for intentional violation, which includes receiving and honoring DSAR requests from current and former employees and job applicants for personal information collected in an employment context.

It is also important to note that the CCPA’s cure provision, which allowed businesses 30 days to cure their violations, has been removed from the CPRA - thus, businesses in California cannot afford to be non-compliant now and expect a chance to correct their actions without facing liability. Learn how to automate DSAR under CCPA.

How an Employer Honors DSAR Under CPRA?

Under the CCPA and CPRA, the right to access personal data must be provided electronically, in a portable format, and to the extent technically feasible, provided in a readily usable format that the consumer can transmit to another entity without hindrance.

What Exemption Concerning DSAR May Apply Under CPRA?

Regarding the right to access personal data, the CCPA/CPRA highlights certain exemptions: as per CPRA Regulations § 7024(c), a business is not required to search for personal information if all of the following conditions are met, including:

1. The business does not maintain the personal information in a searchable or reasonably accessible format;
2. The business maintains the personal information solely for legal or compliance purposes;
3. The business does not sell the personal information and does not use it for any commercial purpose;
4. The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.

How Securiti Can Help

Depending on its organization's complexity, manual DSAR processing can run a business anywhere from $1,400 to $10,000 for every DSAR. Despite this, several businesses aren't set up to manage DSARs cost-effectively.

The modern-day and most efficient method of honoring DSAR is by embracing DSAR automation. Automation enables businesses to save costs during the DSAR process, significantly reduce the risk of compliance penalties, and ensure brand image remains intact.

Additionally, individuals increasingly expect more transparency from businesses that collect their personal data. Businesses must ensure they’re better custodians of an individual’s data and that their data processing practices comply with evolving data privacy laws to avoid non-compliance penalties.