What data subject access rights do employees have under the UK GDPR?

Employees, job applicants and other "data subjects" have the right under the UK General Data Protection Regulation (UK GDPR) to make a data subject access request to obtain details from the employer of any personal data relating to them that it is processing.

The data subject has the right to access personal data concerning them and obtain information about it, including:

• the purposes for which it is being processed;
• the categories of personal data concerned;
• any recipients or categories of recipients of the data;
• the envisaged retention period for the data, or the criteria used to determine that period.

The employer must also inform the employee of other information, including their rights to request rectification or erasure of the data, to request the restriction of processing and to object to processing.

Employers (and other data controllers) must respond to a data subject access request "without undue delay" and within one month at the latest, although this can be extended by two further months where necessary, taking into account the complexity and number of requests.

Under the UK GDPR, if an employer receives a request that is manifestly unfounded or excessive, it can charge a reasonable fee taking into account the administrative costs of responding to the request; or it can refuse to act on the request.

The UK GDPR states that, where the data subject makes a request by electronic means, the information "shall be provided by electronic means where possible", unless the data subject requests otherwise.