How must employers respond when an employee seeks to access, delete, or control personal information the employer maintains about them? Since the introduction of the European General Data Protection Regulation (GDPR), an individual’s rights to request access to, correction to, or deletion of their personal data (DSARs, or “data subject access requests”) have become a topic of strategic importance for global businesses.
Responding to DSARs can be tricky and resource-intensive, with only limited exceptions allowing employers to limit or reject a request and risk of penalties from data regulators for getting it wrong. On March 19, 2026, the European Court of Justice issued a significant ruling clarifying that even a first DSAR can be rejected as abusive if the data controller demonstrates the requester's intent to artificially create conditions for obtaining compensation. However, the threshold for establishing such abuse is high and the burden of proof lies with the controller.
DSAR challenges can be particularly acute in the employment context, where an employee’s personal data is all over their employer’s systems, intertwined with others’ personal data, and when compared with standard customer data, often high risk to simply hand over. Employees are data subjects with DSAR rights under GDPR, but at present only California law contains analogous provisions for employee data subjects in the United States.
Even so, employee DSAR rights hold significant relevance for any...
Panaji: The Public Works Department (PWD), Government of Goa, has strongly refuted allegations being circulated on social media and certain media platforms regarding a so-called "Rs 1,000 crore sc...