We have had a Subject Access Request from an ex-employee. I would like to know what data exactly I need to send and what do I need to dedact from the data that we send out?
The user has only been with us for a few months, so mainly Teams messages and emails. There will be other usernames and Client names in the mix, do we need to dedact them all?
I have the data from ***, but need to run through it now and send out by the end of the month.
The right to access is a fundamental right of the data subject. As stated in Article 15 GDPR - Right of access by the data subject – paragraph 3: “The controller shall provide a copy of the personal data undergoing processing”. However, paragraph 4 states that “The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others”. So you should redact out personal data of other data subjects (including usernames, pseudonyms, etc), intellectual-property protected data, and confidential data (including customer names, customer financial info, discounts, financial offerings, invoices, contracts, etc).
Advisera’s EU GDPR Premium Toolkit might help you in this endeavor because part of the toolkit we have a template for a Data Subject Access Request Procedure as well as templates for disclosure forms.