News & Blog

A Guide to Employee Subject Access Requests (SARs) for Employers under GDPR

Data privacy is a concern for employees and employers. An important aspect of data protection is managing employee Subject Access Requests (SARs).

overnance, Risk and Compliance Officers

Data privacy is a concern for employees and employers. An important aspect of data protection is managing employee Subject Access Requests (SARs). As an employer, it’s crucial to understand your responsibilities when it comes to handling employee personal data). This post delves into the key concepts, processes, and best practices surrounding employee SARs.  

What are Subject Access Requests (SARs)?

A Subject Access Request, commonly referred to as a SAR, is a legal right granted to individuals under the GDPR. It allows individuals to request access to the personal data that an organization holds about them. SARs empower individuals to have better control over their personal information and understand how it is being processed.  According to the ICO, an employee SAR could be as simple as:

  • An employee requesting their HR file
  • An employee requesting notes from their last appraisal
  • An employee asking what information about them the employer holds
  • A copy of emails sent by the employees’ manager regarding a verbal warning

Key Steps in Handling Employee SARs

Receiving an employee SAR

When an employee SAR is submitted, it’s important to acknowledge the request promptly. The GDPR stipulates that you must respond to SARs without undue delay and within one month of receiving the request. However, in complex cases, you might be able to extend this period by two additional months. You need to let the employee know if the time period is to be extended. Do this as soon as you know that more time is required, also let them now that it is due to the complexity of the request.

Verifying the Identity

To ensure the security of personal data, it’s essential to verify the identity of the individual making the SAR. This step helps prevent unauthorized access to sensitive information. In a large organization where names may be similar, or employees may have access to email logins, it is vital to be sure that the employee SAR is for the correct employee.

Gathering and Reviewing Data

Once the individual’s identity is verified, you need to locate and gather all relevant personal data. This includes data stored electronically or in physical files, emails, and any other relevant records.  Data and retention platforms such as ComplyKEY MailMeter and SISCIN can make this process much quicker.

Legal Privilege and Third-Party Information

While fulfilling an employee Subject Access Request, you should not disclose any information that is subject to legal privilege or includes third-party personal data without their consent. Balancing transparency and legal requirements is essential in this process.

Providing the Response

Prepare a comprehensive response to the SAR that includes the requested information. This could be in the form of copies of documents or a summary of data, depending on the nature of the request.

Challenges and Best Practices

Volume and Complexity of the employee SAR

Handling employee Subject Access Requests can be overwhelming, especially in organizations with large amounts of data. Implement efficient data management systems and processes to streamline the SAR response process.  Software solutions such as ComplyKEY Control automate the workflow and find the required data quickly.

Data Security

Safeguard the employee’s personal data throughout the process. Be careful and ensure it’s not accidentally shared with unauthorized individuals.

Timely Response

Meeting the one-month response deadline is critical. If you require an extension, communicate this to the employee within the initial month and provide valid reasons for the delay.

Employee Training

Educate your staff about SARs and data protection principles to ensure a consistent and compliant approach.


Maintain open communication with individuals making SARs, keeping them informed about the progress and any potential delays.

Employee Subject Access Requests are a fundamental right under the GDPR. As an employer, mastering the employee SAR process is crucial to upholding data protection standards and maintaining trust with your employees. By adhering to the steps and best practices outlined in this guide, you’ll be well-prepared to manage employee SARs effectively, promoting transparency, privacy, and responsible data handling within your organization.