For modern enterprises and SMBs operating in Europe, the acronym DSAR is becoming a frequent topic of conversation between Legal, HR, and IT departments.

While the General Data Protection Regulation (GDPR) has been in effect since 2018, we are currently witnessing a sharp rise in Data Subject Access Requests (DSARs) coming not just from customers, but from current and former employees.

For a Head of HR or General Counsel, an employee DSAR is significantly more complex than a standard consumer request. It involves sensitive internal communications, performance reviews, and unstructured data scattered across dozens of platforms.

So, what exactly is a DSAR under Article 15, and what are your obligations as an employer?

The Legal Definition: Article 15 GDPR

DSAR stands for Data Subject Access Request. It is the mechanism by which an individual exercises their "Right of Access" as enshrined in Article 15 of the GDPR.

Article 15 states that a data subject (in this case, your employee) has the right to obtain confirmation from the data controller (you, the employer) as to whether or not personal data concerning them is being processed.

If that data is being processed, the employee has the right to access that data and receive the following information:

• The purpose of the processing.

• The categories of personal data concerned (e.g., payroll, emails, HR files).

• The recipients to whom the data has been disclosed (e.g., third-party payroll providers, benefits administrators).

• The retention period (how long you plan to keep the data).

• Information regarding their rights to rectification or erasure.

Why Employee DSARs Are Different (and Difficult)

Most organizations have automated their consumer DSARs. If a customer asks for their data, a script runs against a CRM database, exports a CSV, and the ticket is closed.

Employee DSARs are different.

Employees generate a massive footprint of "unstructured data." To fulfill an Article 15 request for an employee who has been with you for five years, you may need to search through:

1. Communication Tools: Slack, Microsoft Teams, Zoom chats.

2. Email Archives: Years of correspondence sent and received.

3. HRIS Systems: BambooHR, Workday, etc.

4. Productivity Tools: Jira tickets, Trello boards, Google Docs.

The "Weaponized" DSAR

It is increasingly common for DSARs to be used as a strategic tool during employment disputes, dismissals, or tribunal hearings. Disgruntled employees or their lawyers may file a DSAR to fish for evidence or simply to put pressure on the organization due to the administrative burden required to respond.

The 30-Day Deadline

Under GDPR, you have one calendar month (roughly 30 days) to respond to a DSAR. You can extend this by two further months if the request is complex, but you must inform the employee of the extension within the first month.

For an HR or Legal team relying on manual processes, gathering terabytes of data, reviewing it for privilege, and redacting sensitive information within 30 days is a race against the clock.

The Redaction Challenge: Protecting Third Parties

Perhaps the most time-consuming aspect of an employee DSAR is redaction.

Article 15 confers the right to access their data, but not the data of others. If an employee requests their email history, those emails likely contain personal data of clients, other colleagues, or sensitive business secrets.

Before releasing the data, the organization must:

• Identify third-party data.

• Redact names, email addresses, and private information of other individuals.

• Ensure that no legally privileged information (e.g., communications with outside counsel) is released.

Doing this manually with a PDF editor is not only inefficient; it is prone to human error that can lead to a secondary data breach.

Does "Everything" really mean "Everything"?

There is often confusion regarding the scope of Article 15. Does an employee have the right to every single email they were ever cc'd on?

Recent case law suggests that the purpose of Article 15 is to allow the individual to verify the lawfulness of processing. While the scope is broad, it is not limitless. However, the burden of proof lies with the employer. You must demonstrate that you have conducted a reasonable and proportionate search.

How to Prepare Your Organization

If you are a Head of Legal, HR, or IT, reactive compliance is no longer sustainable. To scale your response capabilities, consider the following steps:

1. Data Mapping: Ensure IT maintains an up-to-date map of where employee data lives (including Shadow IT applications).

2. Retention Policies: Enforce strict data retention policies. If you delete data routinely when it is no longer needed, you do not have to search through it later.

3. Automation: Manual email searches and manual redaction are the bottlenecks. Implementing a dedicated DSAR automation solution allows you to connect to your data sources, use AI to identify personal data, and auto-redact third-party information instantly.

Conclusion

A DSAR under Article 15 GDPR is a fundamental right for employees, but it represents a significant operational challenge for employers. As employees become more aware of their data rights, the volume of these requests will only increase.

Moving from manual spreadsheets to an automated workflow is the only way to ensure compliance, protect third-party privacy, and keep your HR and Legal teams focused on their core jobs—not document review.