HR guides

Subject access requests : HR guide



In this guide I explain how employers should respond to subject access requests.

Personal data

Individuals have a right to make data subject access requests under the General Data Protection Regulations (GDPR).

The subject access request must relate to personal data. Personal data means any information relating to an identifiable person who can be identified directly or indirectly.

A request may be wide in scope but if the request is very wide it may be less effective. Requests are often limited to subject matters, dates and for emails, the person receiving or sending the email.

Timescale to respond to subject access requests

The subject access request must be completed without undue delay and at least within one month.

The timescale can be extended up to two months if the request is complex and or the individual has made numerous requests.

Any extension and the reason for the extension should be communicated in writing before the initial one month expires.

subject access requests timescale

Information supplied for subject access requests

The employer should provide the following:

  • A copy of the personal data being processed. (There are rules about processing data that includes information about other people. See the Information Commissioner’s Office (ICO) Guidelines.)
  • Confirmation of the purposes of the processing.
  • Clarification of the categories of personal data and the categories of the recipients the personal data has been disclosed to or will be disclosed to.
  • Information relating to the source of the data.
  • The period for which the data will be stored.
  • The data subject’s rights.

subject access requests information


If the request is manifestly unfounded or excessive, an employer can refuse the subject access request.  The ICO has provided guidelines on what could be manifestly unfounded or excessive.

A request could, for example, be manifestly unfounded if it was malicious with the sole purpose of disrupting the employer.

An excessive request could, for instance, be where it overlaps with a previous request.

If an employer refuses the subject access request it must give reasons to the employee.

However, rather than take the risk of a dispute the employer may be better off to answer the request in so far as a proportionate and reasonable response but reserve their position to argue that it was manifestly unfounded or excessive if challenged.

subject access request refusal

Fees for subject access requests

Generally employees cannot charge a fee for a subject access request.

Employers though are able to charge a reasonable fee for administrative costs where the request has been manifestly unfounded or excessive.


There are a number of exceptions to providing subject access requests. Examples include:

  • There is no obligation in relation to personal data which carries legal professional privilege.
  • There is no obligation for a confidential reference for employment, training or educational purposes.

For details of all the exceptions see the ICO guidelines.

This guide is intended for guidance only and should not be relied upon for specific advice.

If you need any advice on subject access requests or have other employment law queries please do not hesitate to contact me on 020 3797 1264.

Do check regularly for updated information.

Contact Matt Today 020 3797 1264

    Please complete the form below to download the HR Guide for free