GDPR In The Workplace: Know Your Rights

Caragh Bailey
6 min read
GDPR In The Workplace: Your rights regarding data protection at work, explained by Employment Law Friend. Blurred hands work over a laptop keyboard. Overlaid with icon of padlock inside a cloud, within a system of cogs containing other internet devices.

Chances are you've been given some training on GDPR in the workplace, with a focus on how you handle customer or client information, to ensure your company complies with the law.

As an employee, your data gets the same legal protections as any external 'data subjects'. In fact, usually more so, due to the level of personal information that your employer holds.

The general data protection regulation (GDPR) is a law created in the EU to protect the data of its citizens, it effects businesses worldwide. The UK implements GDPR with the Data Protection Act 2018.

What are the 7 GDPR principles?

The 7 key principles of UK GDPR are:

What are the 8 rights of individuals under GDPR?

Your rights under GDPR are:
  • 1

    Lawfulness, fairness and transparency.


    Purpose limitation


    Data minimisation




    Storage limitation


    Integrity and confidentiality (security)




    The right to be informed


    The right of access


    The right to rectification


    The right to erasure


    The right to restrict processing


    The right to data portability


    The right to object


    Rights in relation to automated decision making and profiling.

Essentially, this means that your employer is responsible for informing you of the purpose of collecting and using your personal data, as well as how it will be treated by the organisation. They can use your data in the specified ways with your freely given consent.

You can access your personal data, request for mistakes in it to be rectified and have it destroyed when it is no longer required by law.

There are six reasons your employer can lawfully process your data:

1) Consent

You have given clear consent for a specified purpose*.

2) Contract

It is necessary for a contract they have with you, or because you have asked them to take specific steps before entering into a contract with them.

3) Legal Obligation

It is necessary for your employer to comply with law (not including contractual obligations).

4) Vital interests

It is necessary to protect someone’s life.

5) Public task

It is necessary for your employer to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law.

6) Legitimate interests

It is necessary for your employer's legitimate business interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests. (Does not apply if your employer is a public authority processing data to perform its official tasks).

*Consent does not include:
  • Silence
  • Lack of complaint
  • Consent incorporated as a standard term within your employment contract or data protection policies

What is an example of GDPR?

some examples of GDPR which you might not expect:

Celebrating birthdays

Your birthday is your personal information. Not only do some people prefer to keep this information private, it could also be used in conjunction with other personal information to attempt identity fraud.

If your workplace keeps a shared calendar of birthdays (without consent), or your manager surprises you or other employees with a cake on your birthdays, this may amount to a data protection breach.

Sending Christmas cards

Posting greetings cards to your home address may amount to a data breach, if you have not given your consent for your address to be used in this way.

There is stronger legal protection for more sensitive information, concerning: race; ethnic background; political opinions; religious beliefs; trade union membership; genetics; biometrics (where used for identification); health; sex life or orientation.

More serious examples of GDPR:

Disclosing your health information

When you are absent from work you may be expected to give your employer details of your health. All that should be shared with your colleagues is that you are unwell - and even then, only the colleagues directly affected by your absence.

If the details of your health have been disclosed to other colleagues then this likely amounts to a data breach, especially where those details are sensitive.

Disclosing your sexual orientation

Your employer may be aware of your sexual orientation, when you are not yet 'out' among your wider colleagues.

Even in well intentioned circumstances, such as drawing positive attention to you during a company sponsored pride event, outing an employee is always considered a serious breach of GDPR.

Sending your CV to a colleague for a second opinion

Data breaches can occur before you've even begun employment. If the person reviewing your CV isn't sure and shares your CV (including name, contact details, etc.) with another colleague they may be in breach of GDPR in the workplace. This can be avoided if they anonymise the CV first, redacting personal information and using only an ID number to identify the CV.

Data leak

This is the breach of GDPR in the workplace that we are most familiar with due to press coverage. An accidental or malicious leak of employee personnel files can be detrimental as once leaked they are often sold on the dark web.

Names, addresses, birth-date's and bank details can be sold off to the highest bidder and used with malicious intent, primarily identity theft. These breaches are serious and can involve fines against the employer, worth millions.

Have your data protection rights been breached?
If your personal data has been shared without your consent, or your rights have not been honoured, you may have a claim against your employer. Get in touch to see how we can help.

Employment Law Specialist | Competitive Quotes | Straight Talking Legal Support

Frequently Asked Questions
As an employee, you must follow your company's data handling procedures. You should also have received a privacy policy concerning how your employer handles your personal data.

If you have a concern regarding data handling at work, you should raise the issue with your employer, or with the Information Commissioner's Office

If your personal data has been shared without your consent, or your rights have not been honoured, you may have a claim against your employer. Get in touch to see how we can help.

Employment Law Specialist | Competitive Quotes | Straight Talking Legal Support
You have the right to see the information which your employer holds about you. However, there are some legal exceptions.

Schedule 2 of the Data Protection Act contains an exemption which allows your employer to refuse to disclose a confidential reference. However, they can choose to do so anyway.

If your employer decides to share the reference with you, they will still be obligated to protect the data interests of any third parties identified in the reference. For example, your employer will have to redact any data which identifies the individual who made the reference.
Your employer can legally intercept any of your telecommunications (email, IM, calls etc.) as long as:
  • You have given consent; or,
  • They can show that they took reasonable steps to inform all users that interception may take place.

Employers can intercept telecommunications without either of the above provisions under certain legal exemptions, including:
  • Quality control & training
  • For regulatory and self regulatory procedures
  • For systems maintenance
  • To find out if the communication is for a private purpose, rather than business
  • To detect unauthorised use
  • To prevent or detect crime
  • For national security purposes
This content is provided free of charge for information purposes only. It does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary set out in the article, or for any consequences of relying on it, is assumed or accepted by any member of our company. For employment law advice please get in contact and speak to your employment law solicitors.
Find Out More:

Talk to a Professional

If your rights have been breached concerning data protection or GDPR in the workplace, we can help.

Just get in touch today to speak to one of our employment law specialists

Please be advised that we are a UK company and our advice applies to employment law in England and Wales, only.
Agree to Terms | Privacy Policy
We reply to all messages within 1 working day and will help wherever we can!
Employment Law Friend Privacy Promise
Employment Law Friend Privacy Promise

We promise not to share any of the information you provide, with your employer.
What you tell us, stays between us.
We're loyal like that.
grievance advice from employment law friend


One of THE most important stages is to get your grievance right.
harassment advice from employment law friend


Find out what types of harassment there are and none are acceptable.
bullying in the workplace: advice from employment law friend

Bullying at Work

No one should ever be bullied. Find out what is bullying and what you can do.
discrimination advice from employment law friend


What is discrimination? How to spot it and what you can do.
constructive dismissal advice from employment law friend


Did you have to resign or get dismissed because your employer breached your contract? Find out your rights.
redundancy advice from employment law friend


Did your employers follow the correct procedure? What is a settlement agreement?