Employee DSARs: What Happens When Your Own Staff Requests Their Data

Yes, Your Employees Can DSAR You

This catches many small business owners off guard. You think of DSARs as something customers do. Then one morning, an employee — maybe one you are about to let go, maybe one who is in a dispute with a manager, maybe one who is just curious — sends you an email asking for all the personal data you hold about them.

And the answer is: yes, they have every right to do that, and you have every legal obligation to respond.

Employee DSARs are one of the most common types of data subject access requests (GDPR Article 15), and they are often the most complex. The data is spread across more systems, the exemption questions are thornier, and the stakes (particularly during employment disputes) are higher.

This guide covers what you need to know as a small business owner when an employee — current, former, or prospective — asks for their data.

For the general DSAR overview, see What Is a DSAR?. For the step-by-step response process, see How to Respond to a DSAR.

Why Employees Make DSARs

Understanding why helps you respond appropriately (though, to be clear, you must respond regardless of the reason, and you cannot ask employees to justify their request).

Common reasons include:

• Employment disputes — the employee is in a grievance or disciplinary process and wants to see what is in their file
• Pre-litigation — the employee is considering (or has already decided on) legal action and wants to gather evidence
• Curiosity — they genuinely want to know what data you hold, particularly if they have been with the company a long time
• Leaving the company — they want copies of their data before they go
• Concerns about surveillance — they suspect monitoring and want to know what data is being collected
• Data protection awareness — they attended a training session or read an article and decided to exercise their rights

The reason does not affect your obligation. Even if you know the request is preparation for a tribunal claim, you must respond. The fact that someone intends to use their data in proceedings against you is not a basis for refusal.

What Employee Data Is in Scope?

This is where employee DSARs get complicated. You hold far more personal data about employees than you typically realize. Here is what is likely in scope:

HR Records

• Employment contract and any amendments
• Job application, CV, and interview notes
• Offer letter and onboarding documents
• Probation review documents
• Role changes and promotion records
• Training records and certifications
• Absence records (sick leave, annual leave, parental leave)
• Working time records
• Right-to-work documentation
• Equality monitoring data (where held)

Payroll and Benefits

• Salary details and pay history
• Bank account details (for salary payments)
• Tax records (P45, P60, P11D in the UK; W-2, 1099 in the US)
• Pension contributions and records
• Benefits enrollment and usage
• Expense claims and reimbursements

Performance and Development

• Performance reviews and appraisals
• Objective-setting records
• 360-degree feedback (see the tricky section below)
• Development plans
• Coaching or mentoring notes
• Talent management assessments
• Succession planning documents (where they name the employee)

Disciplinary and Grievance

• Disciplinary records and outcomes
• Grievance records and outcomes
• Investigation notes and evidence
• Witness statements (subject to third-party redaction)
• Warning letters
• Appeal documentation

Communications

• Emails — this is the big one. Every email the employee sent, received, or was mentioned in by name could be in scope. For a long-serving employee, this can be thousands of emails.
• Internal messaging (Slack, Teams, etc.) — messages they sent, received, or are identifiable in
• Notes and memos that reference the employee by name
• Meeting minutes where the employee is discussed

Monitoring and Security

• CCTV footage — if the employee is identifiable in it, it is their personal data
• Building access logs (swipe card records)
• IT system access logs
• Internet and email monitoring data (if you monitor usage)
• Vehicle tracking data (if you use GPS on company vehicles)
• Phone records (company phone call logs)

Third-Party Sources

• References you received about the employee
• Background check results
• Occupational health reports
• External investigation reports

The Tricky Areas

Employee DSARs throw up several situations that are not straightforward. Here is how to handle the most common ones.

Manager Opinions and Comments

Managers write things about employees. Performance review comments, notes in HR systems, casual remarks in emails. These are personal data about the employee, and they are in scope.

This means that if a manager wrote "I don't think Sarah is management material — she lacks strategic thinking" in a performance review or an email to HR, Sarah gets to see that in a DSAR response.

There is no "internal opinion" exemption. If the data is about an identifiable individual, it is their personal data (UK GDPR Article 15). The practical implication: train your managers to write about employees as though the employee might one day read it. Because they might.

360-Degree Feedback

If you use 360-degree feedback, the question is whether you need to disclose who said what. The answer depends on the circumstances:

• If feedback was collected on a named basis — the respondent is identifiable and the feedback is personal data about the employee. You must disclose it.
• If feedback was collected on an anonymous basis — you promised respondents anonymity, and the feedback cannot identify the respondent. You should provide the feedback but can redact any information that would identify the respondent.

The problem arises when "anonymous" feedback is not actually anonymous — for example, if only one person in a particular role provided feedback, making them identifiable. In those cases, you have a balancing exercise between the employee's right of access and the respondent's reasonable expectation of anonymity.

Investigation Notes

If the employee is the subject of an investigation (disciplinary, grievance, or even a fraud investigation), the investigation records contain their personal data and are generally in scope.

However, there are potential exemptions:

• Crime prevention and detection — if disclosure would prejudice an ongoing criminal investigation
• Legal professional privilege — if the notes include legal advice
• Third-party data — witness statements may need to be redacted to protect the identities of other individuals, particularly whistleblowers

If there is an active investigation, get legal advice before responding to the DSAR. Timing matters — you may be able to apply an exemption during the investigation that ceases to apply once it concludes.

For more on exemptions, see our DSAR exemptions guide.

Emails

Email is the single most time-consuming category in an employee DSAR. A search for the employee's name and email address across the organization's email system can return thousands of results, many of which need individual review for third-party data redaction.

Practical approaches:

• Ask the employee if they can narrow the scope (specific time period, specific correspondents, specific topics) — they do not have to, but many will
• Prioritize mailboxes most likely to contain relevant data (the employee's own mailbox, their manager's, HR's)
• Use email search tools to filter efficiently
• Set realistic expectations about timeline — this is a legitimate reason for a deadline extension if the volume is genuinely large

CCTV Footage

If your workplace has CCTV and the employee is identifiable in the footage, that footage is their personal data. You must provide it if requested, subject to some practical considerations:

• You must redact other identifiable individuals in the footage (blur their faces) unless it is reasonable to include them
• If the footage has already been overwritten under your standard retention policy (and this happened before the request), you do not need to retrieve it
• The request should be specific enough to be locatable — "all CCTV footage of me" for an employee who has worked in a monitored office for five years is impractical, and you can ask them to specify dates or locations

Data Held by Third Parties

If you use third-party HR software, a payroll provider, or an external occupational health service, they are likely processing your employee data as data processors. The data is yours (you are the controller), and it is in scope for the DSAR. You may need to contact your processors to retrieve the data.

Make sure your contracts with processors include provisions for assisting with DSARs — most modern data processing agreements do.

The Timeline for Employee DSARs

The deadlines are the same as for any DSAR:

• GDPR/UK: 30 calendar days, extendable by up to 60 days for complex requests (GDPR Article 12(3))
• CCPA: 45 calendar days, extendable by 45 days (Cal. Civ. Code § 1798.130(a)(2))

Employee DSARs are frequently complex enough to justify an extension, particularly when:

• The email search returns a large volume of results
• Significant third-party redaction is needed
• Exemption questions need to be resolved (especially if there is an ongoing investigation or legal proceedings)
• Data is spread across many systems

If you need to extend, notify the employee within the initial deadline period and explain why. See DSAR response deadlines for the full rules on extensions.

What You Cannot Do

Delete Data After Receiving the Request

If an employee submits a DSAR and you delete data to avoid having to disclose it, that is a serious violation — potentially criminal under some legislation. Once a DSAR is received, you must preserve all data that is in scope.

This also means you should immediately suspend any automated deletion policies for the employee's data until the request has been fulfilled.

Retaliate Against the Employee

Penalizing or treating an employee unfavorably because they made a DSAR is likely to constitute victimization under data protection law (GDPR Article 15(4)) and potentially under employment law. This includes:

• Dismissing the employee
• Reducing their hours
• Denying them a promotion or pay rise
• Making negative comments about the request to other staff
• Any other detrimental treatment connected to the DSAR

Require Them to Use a Specific Form or Channel

Just like any other DSAR, an employee does not have to use a specific form. If they email their request to their manager, that is valid. If they send it to HR, that is valid. If they tell the receptionist, that is valid (though you should ask them to confirm in writing).

Ask Why They Want the Data

You cannot require the employee to tell you why they are making the request. You might know or suspect the reason (particularly if it coincides with a workplace dispute), but the reason is irrelevant to your obligation to respond.

Practical Advice for Small Businesses

Before You Get an Employee DSAR

Know where employee data lives. Map out every system that holds employee data. For a typical small business, this might include:

• HR/people management system
• Payroll system
• Email
• Shared drives and cloud storage
• Internal messaging (Slack, Teams)
• Line manager notebooks and notes (yes, really)
• Physical files
• CCTV system
• Building access system
• Any third-party processors (background check providers, occupational health, benefits platforms)

Train your managers. Managers need to know two things:

1. If an employee asks for their data, escalate it immediately — do not try to handle it themselves
2. Everything they write about an employee may be subject to a DSAR — write accordingly

Clean up your data practices. The best preparation for employee DSARs is not having unnecessary data in the first place. Review what you actually need to keep, set retention periods, and delete what you no longer need. Less data means simpler DSARs.

When You Receive an Employee DSAR

Stay calm. Employee DSARs often arrive during difficult periods — disputes, performance processes, exits. Do not let the emotional context affect your legal response. Treat it as a compliance task.

Get legal advice early if the situation is contentious. If the DSAR coincides with a disciplinary, grievance, or potential legal claim, spend the money on a 30-minute consultation with an employment lawyer. The exemption questions in these situations can be genuinely complex.

Be thorough. An employee who is preparing for a legal claim will likely challenge an incomplete response. They know (or their lawyer knows) what data you should hold, and they will notice if something is missing.

Communicate clearly. Acknowledge the request promptly, set expectations on timeline, and if you need to extend, explain why honestly. Professional communication throughout the process reduces the risk of escalation.

After You Respond

Keep records. Document what you searched, what you found, what you provided, what you withheld (and why), and when you responded. Keep these records for at least the duration of any potential legal claim (typically six years for employment claims in England and Wales, though limitation periods vary).

Review and improve. Each employee DSAR teaches you something about where your data is and how your processes work. Use the experience to improve your data management practices.

The Scenario Every Small Business Dreads

Here is the situation no one wants but many face: an employee you are about to dismiss submits a DSAR the day before their disciplinary hearing.

This is legal, it is common, and it does not change anything about the disciplinary process. You must:

1. Continue the disciplinary process as normal
2. Process the DSAR within the standard deadline
3. Not treat the DSAR as a factor in the disciplinary decision
4. Not delay responding to the DSAR because of the disciplinary process (or vice versa)

If the disciplinary involves an investigation with evidence that is subject to an exemption (for example, whistleblower identities or legally privileged communications), get legal advice on what to disclose and what to withhold.

But otherwise, you respond to the DSAR with the same thoroughness and within the same deadlines as you would for any other request.

It Is Manageable

Employee DSARs sound daunting, but for most small businesses they are a straightforward (if time-consuming) exercise. You know your systems, you know where employee data lives, and you can work through the response methodically.

The businesses that struggle are the ones who are caught off guard, who do not know where their data is, or who let emotions drive their response instead of process.

Get your process right, and an employee DSAR is just paperwork.

References

• General Data Protection Regulation (GDPR): Article 15 — right of access by the data subject. GDPR Article 15
• UK GDPR / Data Protection Act 2018: ICO guidance on the right of access, including employment context. ICO right of access guidance
• UK GDPR Guidance and Resources: ICO comprehensive guidance for organisations, including employment data handling. ICO UK GDPR guidance
• GDPR Article 12: Transparent communication and response timelines. GDPR Article 12

Get Your Response Right

Our DSAR Response Templates include specific templates for employee DSARs, including cover letter language, data category checklists, and redaction guidance. Download them now so you are ready when a request arrives.

Download the DSAR Response Templates