Employee GDPR Subject Access Request: What Are the Employer's Real Obligations?
When an employee — or a former employee — exercises their right of access under Article 15 of the GDPR, the company must respond within a precise framework.
In theory, the principle seems straightforward: a person can request access to personal data concerning them.
In practice, handling a GDPR subject access request from an employee quickly raises numerous questions:
- must the employer hand over all professional emails?
- must they provide the entire HR file?
- what if documents contain data concerning other individuals?
- can certain confidential content be excluded?
- how far must the employer go in their searches?
This is precisely where the difficulties begin.
Responding to an access request is not simply a matter of exporting documents. The employer must also:
- identify the relevant personal data,
- protect the rights of third parties,
- set aside certain sensitive content,
- and produce a response within a short timeframe.
Here is what the employer must actually do when an employee exercises their GDPR right of access.
What is an employee subject access request under Article 15 of the GDPR?
Article 15 of the GDPR grants every data subject the right:
- to obtain confirmation as to whether personal data concerning them are being processed;
- to access those data;
- as well as certain information about the processing activities carried out.
Within a company, this right may be exercised by:
- a current employee
- a former employee
- in some cases, a job applicant, an intern, or a contractor
In practice, an employee access request may concern data held across a wide range of systems:
- HR files
- professional emails
- collaborative tools
- internal messaging platforms
- performance reviews
- management documents
- IT tickets
- security systems
- archives
- shared drives
In other words, an access request is rarely limited to a single file or a single department.
Must the employer provide all requested documents?
No: the right of access does not automatically mean “hand over everything”
This is one of the most important points to understand.
The GDPR right of access relates to the personal data of the data subject. It does not necessarily mean that the employer must hand over every single document in which the employee appears or is mentioned.
In practice, the employer must:
- identify the relevant documents or sources;
- locate the personal data concerning the employee;
- provide access to that data in a comprehensible form;
- without automatically transmitting every raw document in its entirety.
Practical example
An internal email may contain:
- information concerning the requesting employee;
- data about other colleagues;
- confidential elements;
- exchanges with no real connection to the subject of the request.
In such cases, the employer cannot simply “transfer everything”. They must often carry out an analysis and sometimes partial redaction.
In practice, a GDPR employee access request is therefore rarely a simple technical extraction. It is above all a process of document qualification and legal assessment.
What employee personal data may be covered?
The scope of communicable personal data is often broader than companies anticipate.
The following may be covered:
- elements of the HR file
- certain performance reviews
- professional emails
- exchanges in collaborative tools
- internal notes or meeting minutes
- certain technical traces or logs, depending on the circumstances
- documents relating to career progression, remuneration, or internal procedures
However: this does not mean that every document mentioning the employee must be disclosed.
The right question is not:
“In which documents does their name appear?”
The right question is:
“What personal data concerning them are actually being processed, and in what form should they be communicated?”
This distinction is essential to avoid both:
- an incomplete response
- or, conversely, risky over-disclosure
Must the employer search for data everywhere?
Yes, but following a serious and proportionate approach
The employer cannot settle for a purely formal or manifestly insufficient search.
On the other hand, they are not required to conduct unlimited investigations, particularly when the request is very broad, lacks focus, or is difficult to action as stated.
A serious search generally involves:
- identifying the systems most likely to contain the data;
- engaging the relevant teams (HR, legal, IT, security, etc.);
- defining a coherent search scope;
- documenting the method used.
Example
If an employee requests:
“I would like to receive all emails, messages, documents, and exchanges concerning me since I joined the company 9 years ago.”
Such a request may raise very practical difficulties:
- very high volume
- multiple tools involved
- massive presence of third-party data
- need for human review
- risk of disproportionate effort
In practice, an employee access request must be handled seriously, but this does not mean the employer must undertake unlimited and disorganised searches.
What if documents contain data about other individuals?
The employer must protect the rights and freedoms of third parties
This is one of the most sensitive aspects of the GDPR right of access in the workplace.
In reality, professional documents almost always contain information about several people at once.
For example:
- colleagues
- managers
- HR staff
- clients
- contractors
- witnesses
- individuals involved in a report or internal procedure
The employee’s right of access must not lead to an infringement of the rights and freedoms of others.
In practice, this often involves:
- masking certain names or passages;
- anonymising certain information;
- redacting certain extracts;
- or sometimes withholding certain elements altogether.
It is often this step — far more than the initial search — that makes an access request particularly burdensome to process.
Because finding the documents is not enough. They must then be analysed and secured before disclosure.
Can certain documents or information be excluded?
Yes, in certain cases
The employee’s right of access is not absolute.
Certain information may justify a limitation or partial non-disclosure, particularly where it touches on protected interests or competing rights.
The following may require particular attention:
- personal data of third parties
- certain information covered by trade secrets
- exchanges protected by legal professional privilege
- elements covered by medical confidentiality
- certain communications relating to private life
Practical example
Exchanges between colleagues about a private outing, a personal relationship, or a conversation unrelated to professional activity do not necessarily fall within the scope of disclosure under an access request.
Similarly, the presence of personal data in a document does not automatically mean that the entire document must be transmitted.
Each item must be assessed with caution, on a case-by-case basis.
What is the deadline for responding to an employee GDPR access request?
In principle, the company must respond within one month of receiving the request.
This deadline may, in certain cases, be extended when the request is particularly complex or voluminous.
But in practice, this deadline is often difficult to meet when:
- data is spread across multiple tools;
- several teams need to be involved;
- significant review and redaction work is required;
- the request arises in a sensitive context (departure, dispute, litigation, internal investigation, etc.).
This is why employee access requests often become a major operational issue for companies.
Why are employee access requests so difficult to handle in practice?
On paper, the right of access may seem simple.
In reality, a GDPR employee access request often involves multiple functions:
- HR
- legal / DPO
- IT
- sometimes managers
- and sometimes external advisors
The problem is not just about finding the information.
The real challenge is to:
- distinguish what is disclosable from what is not;
- protect third parties;
- avoid risky over-disclosure;
- produce a coherent and traceable response;
- meet the deadlines.
In other words:
An access request is not a simple document export. It is an exercise in sorting, qualification, and securing.
Key takeaways for employers
When an employee exercises their right of access under the GDPR, the company must take the request seriously.
But it is not required to “send everything” without analysis.
In practice, the employer must:
- respond within the timeframe required by the GDPR
- conduct serious and proportionate searches
- identify the relevant personal data
- protect the rights of third parties
- exclude or limit certain sensitive content where justified
- provide a comprehensible, structured, and secure response
It is precisely this combination of:
- thoroughness
- speed
- legal caution
- and operational capability
that makes these requests so difficult to handle manually.
Conclusion
A GDPR subject access request from an employee is rarely a simple administrative formality.
It requires the company to navigate between several imperatives:
- locating the data
- analysing its relevance
- protecting third parties
- meeting the deadlines
- securing the response
This is what makes Article 15 of the GDPR a far more operational matter than it might appear.
For companies, the real challenge is not simply accessing the information.
The real challenge is to produce, within a short timeframe, a response that is compliant, actionable, and legally defensible.
Disclaimer
This article is intended for general informational purposes only. It does not constitute legal advice and does not replace a case-by-case analysis, particularly where the access request arises in a sensitive context (pre-litigation, contentious departure, internal investigation, health data, exchanges with lawyers, etc.).
If in doubt, it is recommended to seek advice from a qualified legal professional.