How must employers respond when an employee seeks to access, delete, or control personal information the employer maintains about them? Since the introduction of the European General Data Protection Regulation (GDPR), an individual’s rights to request access to, correction to, or deletion of their personal data (DSARs, or “data subject access requests”) have become a topic of strategic importance for global businesses.
Responding to DSARs can be tricky and resource-intensive, with only limited exceptions allowing employers to limit or reject a request and risk of penalties from data regulators for getting it wrong. On March 19, 2026, the European Court of Justice issued a significant ruling clarifying that even a first DSAR can be rejected as abusive if the data controller demonstrates the requester's intent to artificially create conditions for obtaining compensation. However, the threshold for establishing such abuse is high and the burden of proof lies with the controller.
DSAR challenges can be particularly acute in the employment context, where an employee’s personal data is all over their employer’s systems, intertwined with others’ personal data, and when compared with standard customer data, often high risk to simply hand over. Employees are data subjects with DSAR rights under GDPR, but at present only California law contains analogous provisions for employee data subjects in the United States.
Even so, employee DSAR rights hold significant relevance for any business with a multijurisdictional workforce or cross-border operations. A single employee in a covered location may give rise to binding obligations—even if that employee works remotely. GDPR, for example, applies to any company that monitors EU-based employee behavior (through email monitoring, GPS tracking, or CCTV surveillance) regardless of the employer’s location. The California Consumer Privacy Act (CCPA) applies to for-profit businesses doing business in California that meet revenue or data-processing thresholds — including those without a physical California office.
Implications also exist for employees who sit outside of Europe or California. How do employers develop cohesive policies across jurisdictions? When a workplace concern arises involving both U.S. and EU employees, or U.S. employees both in California and in other states, how should the investigation proceed? When litigation is anticipated, what should employers expect from DSAR activity – and how much information is sufficient to satisfy an employee’s DSAR? Companies seeking a potential acquisition involving GDPR countries or California-based employees must also consider implications for diligence and smooth employee integration.
This guide breaks down DSARs, flags priority issues for U.S. employers, and offers suggestions for developing feasible response protocols.
I. Employee DSARs (GDPR)
A DSAR is a formal request by a data subject to exercise rights over the personal data an organization holds about them-typically including the right to access a copy of their data, correct inaccuracies, or request deletion. Data subjects are individual natural persons.
DSARs were established as a key component of the European Union's General Data Protection Regulation (GDPR), which took effect May 25, 2018. The GDPR grants data subjects a right of access, as outlined in Article 15:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and the following information:” (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients to whom the data has been or will be disclosed; (d) the envisaged storage period; and (e) the existence of rights to rectification, erasure, or restriction of processing.
Article 15(3) also grants data subjects the right to be provided a copy of the data being processed about them. These rights apply across all sectors, including employee data. GDPR recognizes employees as data subjects and affords them special protection due to the inherent power imbalance in the employer-employee relationship. Employee consent is generally insufficient as a legal basis for processing because it cannot be "freely given" when the employee fears adverse consequences for refusing. In June 2025, the UK Data (Use and Access) Act codified that employers need only conduct a "reasonable and proportionate search" for responsive data.
While the United Kingdom separated from the EU at the end of 2020, the UK GDPR that came into force in 2021 contains the same rights as the EU GDPR. Switzerland also affords the same protection to Swiss residents.
Response Obligations
A DSAR does not need to be labeled as such; an email may suffice to put an organization on notice and trigger the relevant obligations and deadlines. Businesses must respond "without undue delay" and within one month of receipt. This period may be extended by up to two additional months for complex or voluminous requests. Responses must be concise, transparent, and in plain language.
Data subjects may ask for specific data, or simply “all data about me.” Either way, the data subject is entitled to:
- Confirmation of processing their personal data
- Access to a copy of that data
- Information about how and why the data is processed
- Information about how the data is protected if transferred out of the European Economic Area/UK/Switzerland or to an international organization
- Details about recipients, retention periods, and data sources
A business may refuse to respond if a DSAR is “manifestly unfounded or excessive.” An organization is also not required to produce attorney-client privileged materials, information revealing trade secrets, or personal information of another individual. Data maintained solely for legal or compliance purposes may also be exempt in some circumstances.
Emerging Uses
More employees have begun using DSARs to collect evidence supporting ongoing or anticipated litigation against their employers. In Europe, employer-employee disputes are often handled in labor tribunals without extensive discovery, and DSARs have become a key tool in proceedings and negotiations. Regulators have made clear that ongoing litigation is not a valid reason to withhold information in response to a DSAR. (See, for example, ICO Enforcement Notice, First Choice Selection Services Ltd (2 Mar. 2021) (UK Information Commissioner’s Office), requiring compliance with an employee DSAR despite ongoing litigation.) Employers should also be aware that DSARs may be submitted during internal investigations, often by the subject of the investigation seeking to understand what information the employer has gathered.
Reliable, consistent implementation in the employee context remains a challenge. Standards developed for customers and third parties do not map smoothly onto the employer-employee relationship, and regulatory precedents often lack clear directives. Knowing what is not a valid reason to withhold information only goes so far toward proactive compliance.
II. Application in US Workplaces
GDPR does not apply to U.S.-based employees, and (outside California) neither state nor federal law yet obligates U.S. employers to search for and provide an employee’s data simply because they ask. So what should U.S. teams know?
Contrasting Familiar Analogues
U.S. employers have long dealt with challenges of releasing employee information, but familiar contexts often allow more employer control. DSAR-type information is discoverable in litigation—but by that point, the employer has had time to review and prepare, often with protective orders limiting what the employee can do with the information. For government employers, FOIA or "sunshine" laws require prompt transparency—but confidential personnel data is exempt to varying degrees. State laws granting rights to review personnel files (in about half the states, including California, Illinois, and Massachusetts) afford some flexibility to define what constitutes a “personnel file,” and access typically extends only to a curated subset of employee data. These analogues can serve as a helpful starting point for understanding DSARs.
California’s Consumer Privacy Act
An increasing number of U.S. states have instituted comprehensive privacy frameworks, but California’s CCPA is currently the only state data protection law providing DSAR-like rights to employees. The "right to know” provisions require businesses to disclose, upon request, the categories and specific pieces of personal information collected, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom it is shared. As of January 1, 2023, employees, job applicants, and service contractors are included in the definition of “consumers." In late 2023, the California Attorney General announced an initiative requesting information from employers about their employee-data compliance measures. Other states’ laws - such as Virginia's VCDPA, Colorado's CPA, and newer laws in Indiana, Kentucky, and Rhode Island (effective January 2026) – presently exclude employees from the categories of individuals entitled to request access.
The CCPA requires that businesses must offer at least two methods for submitting requests, including a toll-free telephone number, and must confirm receipt within 10 business days and provide a substantive response within 45 calendar days. This period can be extended once by 45 days where reasonably necessary, with notice. Similar to GDPR, businesses may deny requests that cannot be verified or where an exemption applies.
Overlapping—and Conflicting—Legal Duties
DSAR entitlements are broader than personnel file requests, extending to unstructured data like emails, Slack messages, instant messages, digital discussion groups, investigation notes, and other records not traditionally considered part of a formal personnel file. Employees can request access to internal communications about them - including manager emails discussing performance, promotion decisions, or termination deliberations- which may reveal context employers would prefer to keep internal. Requests for deletion create natural tension with employers' recordkeeping requirements under other laws (tax, payroll, benefits administration) and preservation obligations.
III. FAQs
As employers grapple with how to structure their DSAR response process and to document compliance, a number of common questions can arise.
Can US employees on temporary assignment to a GDPR country (or the reverse) make DSARs? Yes. GDPR applies based on where an individual is located when their data is processed. A U.S. employee temporarily working in Germany is entitled to GDPR protections for data processed during that assignment. Conversely, an EU employee on assignment to the U.S. retains GDPR rights for data processed in connection with their EU employment relationship, though new data generated solely from U.S. activities may fall outside GDPR scope.
Is an employer required to respond to a DSAR if a US employee spends time in the EU for personal reasons and works remotely? Brief personal travel does not trigger GDPR obligations unless the employer is actively monitoring or processing data about the employee while they are in the EU. Employers with robust monitoring systems (email surveillance, productivity tracking) should be aware that such monitoring of an EU-located individual could implicate GDPR.
If an employee weaponizes the DSAR process, what actions can the employer take? Controllers are not obliged to comply with every DSAR at face value. After the ECJ’s March 19, 2026 decision in Brillen Rottler v. TC (C-526/24), there is now explicit support for rejecting requests that can be substantiated as abusive. That said, the threshold is high and the burden of proof rests with the employer. Any refusal must be carefully reasoned and documented based on all relevant circumstances, including demonstrating the requester's intent to obtain advantages by artificially creating conditions rather than genuinely exercising access rights; “abuse” cannot be assumed lightly. That the employee has lodged a complaint or is involved in a dispute with the employer is not grounds to reject the request. Employers should also avoid disciplinary or other adverse action in response to DSARs, which may give rise to retaliation claims under applicable law.
Are employers required to provide a DSAR response during an internal investigation involving the data subject? Yes, with limited exceptions. An ongoing investigation does not suspend DSAR obligations. However, employers may be able to delay or limit disclosure if the request is abusive, or if providing the information would prejudice a criminal investigation or ongoing legal proceedings. In cross-border investigations, employers should coordinate response timing carefully. Withholding information from a DSAR while simultaneously using it in disciplinary proceedings may create fairness concernsand, subject to applicable law, potential retaliation claims if the employee can show adverse action was taken in response to a protected DSAR.
Can employers limit costs in responding to a DSAR? Generally, responses must be provided free of charge. Under GDPR, employers may charge a reasonable fee for "manifestly unfounded" or "excessive" requests, or for additional copies of data already provided. A request is "manifestly unfounded" if made with no genuine intention to exercise data protection rights-such as to harass the employer or disrupt operations. A request may be "excessive" if clearly unreasonable when balanced against the burden of compliance. Repetitive requests for the same data may be considered excessive. Each request must be evaluated individually; employers cannot apply blanket policies. Native format is not required-data may be provided in commonly used electronic formats (PDF, CSV) unless the requester specifies otherwise.
How should an employer interpret an employee’s request for “everything”? Employers must conduct a comprehensive search across all systems reasonably likely to contain the employee's personal data. This includes HRIS platforms, email, instant messaging, shared drives, performance management systems, and payroll databases. Document the search methodology and systems queried. If responsive data is inadvertently missed, promptly supplement the response. See this Checklist for responding to a request.
What documentation is required for handling DSARs? Employers must maintain contemporaneous records of each DSAR, including the date of receipt, systems searched, search methodology, identity verification steps, the response provided (with date), and any reasons for withholding or limiting disclosure. Retaining this documentation demonstrates good-faith compliance and provides an audit trail in the event of regulatory inquiry or litigation.
How does an employer address records that include both the data subject’s information another person’s (like emails)? GDPR permits—and in some cases requires—redaction of third-party personal data when disclosure would breach another individual's privacy. However, redaction must be carefully documented and justified; over-redaction may itself constitute non-compliance. Manual redaction of large volumes of documents is time-consuming and error-prone, leading some employers to invest in automated redaction tools or specialized providers.
What if the requested information will jeopardize company intellectual property or trade secrets? Employers may withhold information that would reveal trade secrets or confidential business information. This exemption is narrowly construed and should be documented if invoked.
What if the requested information has been deleted or destroyed? If data has been deleted in accordance with the employer's standard retention policy before the DSAR was received, the employer is not obligated to recover it. The response should confirm that certain data categories are no longer retained and explain the applicable retention periods. However, if data was deleted after the DSAR was received-or in anticipation of a request-this may constitute a violation and could expose the employer to regulatory action or adverse inferences in litigation.
What about privileged information? Attorney-client privilege and work product protection may shield certain documents from disclosure, but employers should apply these exemptions carefully. Privilege doctrines vary significantly across jurisdictions. Legal professional privilege in GDPR jurisdictions, for example, tend to be far narrower than U.S. attorney-client privilege. If claiming privilege as a basis for withholding information, employers would inform the requester that this is the basis for doing so. A recent UK law recognizes privilege as a statutory exception and does not require the data controller to disclose further information that would undermine the privilege, but it is good practice to maintain a privilege log (similar to in US discovery) in case this is later challenged. The mere existence of litigation or an anticipated dispute is not grounds to refuse a DSAR.
Can a DSAR response restrict what the employee does with the data? No. Unlike discovery in litigation, DSAR responses cannot be subject to confidentiality agreements or restrictions on use. Once provided, the employee may use the data for any lawful purpose, including sharing it with attorneys, regulators, or the media. This is a key distinction from U.S. litigation discovery, where protective orders commonly restrict dissemination.
Can employees ask to delete their information? Yes, but an employer may deny a deletion request if it has a legal obligation to retain the data, which often applies to personnel records and wage information. Businesses must carefully balance these competing duties when responding to deletion requests. CCPA provides several explicit exceptions to the data deletion requirement for employee DSARs, including where retaining the data is necessary to enable continuation of employee services.
Do employers have to explain why they withheld or declined to delete information? Yes. When an employer withholds or redacts information, the response should explain the basis for doing so-such as third-party privacy, legal privilege, trade secret protection or tax obligations. Vague or boilerplate explanations may invite regulatory scrutiny. And employers that decline to delete certain personal information required for an internal use like providing employee services must ensure the retained data is not later used for a different purpose like sending marketing communications. See Common grounds for withholding responsive information.
Do employers have to explain the purpose for collection of each type of data provided, or can the employer provide one general explanation? Employers should provide purpose explanations at an appropriate level of specificity. A single blanket statement (e.g., "for employment purposes") is generally insufficient. However, employers need not provide a unique explanation for every individual data point. Grouping data by category with corresponding purposes is acceptable - for example, explaining that payroll data is processed for compensation administration and tax compliance, while performance data is processed for career development and promotion decisions. The key is ensuring the employee understands why each type of data is collected and how it is used.
Should employers with some California employees extend DSAR rights to their U.S. employees who reside outside of California? Extending DSAR rights company-wide simplifies communication and avoids employee confusion (and company values disconnect) about differing entitlements. On the other hand, California’s employment laws tend to be unique and some employers are accustomed to separating California for all employment purposes. Employers choosing a jurisdiction-specific approach should clearly communicate which employees are covered and why.
IV. Takeaways
Depending on employer size, location, and workforce profile, the best employee DSAR preparedness plan may entail a detailed response protocol or simply increasing awareness of how and when DSARs may become relevant.
Sound data management practices are a good start. Employees are entitled to know the legitimate purpose for the employer’s processing of their personal data. Employers should identify standard category-based explanations of processing employee data and avoid collecting or maintaining data without a clear purpose (for example, sensitive demographic data).
Data mapping is critical to ensuring compliance. Employers often utilize multiple HRIS databases while employees communicate through multiple channels throughout an organization. Employers without a comprehensive list of likely data collections or systems may scramble to check them all within time limits for responding to a DSAR. Well-considered, multi-departmental cooperation for investigating data requests is also essential for organizations to ensure all data relevant to a request is efficiently located. Data-protection and DSAR cooperation clauses are relevant even for US vendor contracts because data held or processed in vendor systems are also subject to DSARs. Data retention and standard deletion practices help maintain a reasonable scope when conducting comprehensive searches. US employers who do not already have GDPR-inspired privacy policies and notices may see fit to put these into place to facilitate efficient response and clear information about how they protect employee data and, where relevant, cross-border data transfers.
Response planning
- Clear Disclosures. Employers must make known how to submit a DSAR, when to expect a response and that some data may be exempt.
- Submission Methods. While data subjects can submit requests through various channels, providing designated methods-such as a secure webform or dedicated email address-streamlines intake. Standardized forms clarify the nature of the request and gather identity verification information upfront. California law requires at least two designated methods for submitting requests, including a toll-free number. Consider whether to extend these submission options to employees in other jurisdictions for consistency.
- Deadline Management. Calendar response deadlines immediately upon receipt. GDPR requires response within one month (extendable to three); CCPA allows 45 days (extendable to 90). Missing deadlines can trigger regulatory complaints.
- Search Protocols. Develop a repeatable search protocol identifying which systems to query, which custodians to contact, and what search terms to use. Document searches conducted for each request. Maintain records of searches conducted to demonstrate good-faith compliance.
- Response Templates. Use templates for common response elements: confirmation of DSAR receipt, data processing category listings, explanation of processing purposes (often "administration of the employment relationship" and "compliance with legal obligations"), and descriptions of data categories produced in response to access requests or removable in response to employee deletion requests.
Employee DSARs present a growing compliance challenge for U.S. employers with global or California-based workforces. Proactive data mapping, clear policies, standardized response protocols, and cross-functional coordination between HR, Legal, Privacy Compliance and IT are essential for effective compliance. Employers are well served to monitor regulatory developments, as enforcement activity in this area continues to increase.
