Understand your rights under GDPR and whether your employer has breached them 
Support throughout the process of asserting your rights 
Clear advice in plain English - no legal jargon 
manly hands flicking through files in a cabinet draw


The General Data Protection Regulation (GDPR) came into effect on Friday 25th May 2018. Publicity around the regulations centred on the processing of personal data held about customers or potential customers. But GDPR isn't just about mailing lists and customer personal data.  
GDPR puts data security and privacy of employees' personal data at the forefront of an employer’s consideration. It creates significant rights for employees in relation to their personal data and substantial penalties for an employer who breaks the law. 
Businesses hold and process a significant amount of employees' personal data: for background checks, contracts of employment, disciplinary proceedings, grievance proceedings, annual reviews, payroll, benefits, training, sickness procedures and health records, monitoring performance, CCTV images of employees, clocking in and out, security checks, files notes, minutes of meetings, emails referring to employees (even indirectly). All of these will involve the processing of personal data, and so GDPR applies and gives you rights as an employee. 


Your employer must be able to demonstrate one of these six lawful bases is applicable to any personal data they process or control: 
with your consent 
where the personal data is necessary for the performance of a contract e.g. an employment contract 
they require the personal data to be able to comply with a legal obligation e.g. provide information to HMRC 
the personal data is necessary to protect the vital interests of you as an employee or someone else. This is thought to apply if the person's life or health were at risk e.g. being aware of health issues 
it is necessary in the public interest 
it is necessary for the purposes of a legitimate interest of your employer or a third party. Your interests and fundamental rights and freedoms as an employee can override this basis 
woman typing on a laptop


GDPR tightened regulations around consent, placing higher demands on the standard of consent needed to receive communications. It is no longer acceptable to rely on autmatically ticked boxes, or make it impossible to unsubscribe. Under GDPR, consent must be:- 
freely given 
distinguishable- this means that it should be separate from other things such as employment contracts and policies 
able to be withdrawn 


You have the right to: 
access your personal data 
correct your personal data 
erase personal data (the right to be forgotten) 
restrict processing of data 
object to data processing 
receive a copy of your personal data 
transfer your personal data to another data controller 
not to be subject to automated decision making 
Your employer must provide requested data without undue delay. Usually this must be no later than one month from the initial request, or two months for complex or onerous requests. Your employer is no longer able to apply a standard fee, although reasonable charges can be made for unfounded or excessive requests.  
If your employer refuses to comply with your request, you have the right to complain to the ICO
Your employer must inform you of: 
the identity of the data controller and any data protection officer 
the purpose of processing the data and the relevant legal basis 
the source and category of any data that you did not provide yourself 
who will receive the data (department or roll) 
how long your employer intends to keep the data - for example, 3 years after the end of your employment 
your rights under GDPR 
whether the data is to be transferred out of the EU, the legal basis for this and the safeguards in place 
whether your employer uses any automated decision making or profiling 


Do you have a legal matter you'd like to discuss with us? Get in touch using the details below or use the form here and a member of our team will be in touch to discuss your enquiry. 
Phone: 0121 817 0520 
Address: Spencer Shaw Solicitors Limited 
St Mary's House, 68 Harborne Park Road,  
Harborne, Birmingham, B17 0DH 
Opening hours: 
Monday - Friday 9:00AM - 5:00PM 
Saturday, Sunday & Bank Holidays - Closed 
Keep in touch 


We take your privacy seriously and will only use the information you provide on this contact form to deal with your enquiry. Please see our Client Privacy Policy for more detail. 
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings