Guides

Can I Request a Copy of All My Employment Data from My Employer Under GDPR?

Scott Dooley
4 min read · Jun 21, 2026

Yes. You can ask for a copy of your employment personal data under GDPR, but that does not mean every internal document must be handed over in full. The right of access is about personal data and the supplementary information attached to it, not about turning over the whole HR file by default.

The ICO says an employee or worker can make a subject access request verbally or in writing, including by social media. There is no required form. If the request is broad or unclear, the employer can ask for clarification, but it should not use informality as a reason to sit on the clock.

What you can ask for

In practice, a valid request can cover any personal data your employer processes about you, for example payroll records, disciplinary notes, sickness records, appraisal notes, email threads about you, and logs that identify your activity. The ICO’s employer SAR guidance and right of access guidance both make clear that the request is about the data, not the label you put on the file.

If you are trying to understand the wider people-process behind a request, our article on data protection refresher training shows why front-line staff need repeat reminders on how to recognise and route rights requests correctly.

How to make the request

Keep it simple. Say that you are making a subject access request, ask for a copy of your personal data, and name the period, team, or subject if you want to narrow the search. If the first request is too wide, the employer may ask you to narrow it, but it should still start searching and triaging rather than waiting for a perfect rewrite.

  • State that you want a subject access request.
  • Say whether you want the request limited to a date range, department, or topic.
  • Keep a record of when you sent it.
  • Ask where the response will be sent securely.

Employers generally have one month to respond, per the ICO’s subject access request guidance. That can be extended by up to two further months for complex or numerous requests, but the organisation should explain the extension within the first month. If the request involves multiple systems or a lot of archived material, that triage step matters.

What your employer must provide

The response should include a copy of your personal data and the supplementary information required by Article 15, such as why the data is processed, the categories of data involved, recipients, retention periods, and your rights. That means the employer needs a process that can find the data, review it, redact third-party information where needed, and send it securely.

A privacy policy only works when the route behind it exists. Our piece on operationalising privacy policies explains why the promise in the notice has to match the process in the business.

When access can be limited

There are limits. Employers can refuse or narrow a request in some situations, such as where third-party rights would be unfairly affected, where legal privilege applies, or where the request is manifestly unfounded or excessive. That does not create a blank cheque to refuse routine employee requests. It means the employer has to review the material, justify any redactions, and explain what has been withheld.

If the request relates to sickness records, occupational health notes, or other sensitive information, the employer should check the UK GDPR and the ICO’s employment records guidance carefully before responding. Those records often sit in more than one system and they are easy to miss if nobody owns the search.

If you are handling the request as an employer

Don’t treat the request as an admin nuisance. Treat it as a legal workflow. Name an owner, log the deadline, search the right systems, check whether redactions are needed, and keep a record of how you reached the final decision. If you are handling a wave of requests, the discipline you put around intake and escalation will matter more than the wording in the template reply.

If your team wants a broader baseline on how to manage employee data properly, the GDPR Refresher Training Course is the practical next step for managers and HR staff who handle rights requests regularly.

Sources

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. How to request your personal data under GDPR in the UK?
  2. Is Employee Data Subject to GDPR? How must it be protected?
  3. Australia Privacy Act 1988: 101 – What You Need to Know
  4. Understanding GDPR Data Subject Access Requests: A Practical Guide for Organisations
  5. Bristol City Council ICO Enforcement Case: Falling Behind On Subject Access Request Compliance

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR