SAR

Employees, like other data subjects, have the right to access their personal data. When you receive a SAR (Subject Access Request) you need to reply without undue delay (usually one month) and you can extend such a period to another month for complex requests.

You need to give access to the employee to data stored excluded for documents subjects to legal privilege (i.e. legal advice on the employee), data concerning third parties, disproportionate request.

You should also inform the employee about the categories and the purposes of data processing, how data have been processed, the legal ground of processing, the source of data (if data were not communicated by the employee), data retention periods, other data subjects rights, if data had been transferred to third parties, security measures if any automated processing method applies. Usually, all this information is included in the employee privacy policy.

Please consider that if the SAR is too generic you can ask for clarification to the employee, if the employee is not legitimate to access, you can reply with a denial, but do not ignore the request otherwise the employee can lodge a complaint to the Data Protection Authority of your country.

Here you can find more information:

• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Four main questions for obtaining and managing data subjects’ consent under GDPR https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/ 

If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//