Are Business Emails in Scope of Employee DSARs?

The ICO states that the scope of a DSAR for business emails is limited to the personal data of the individual making the request.  Even business-related emails may contain the requester's personal data, so organisations must search for and provide any email content that is about that individual.  Partial disclosure is permissible, and the requester's name, email address, and any other information that is clearly their personal data must be included.  In this way, if the content of email is about that individual, for example their performance, pay, absence, etc., then it must fall into the scope of the DSAR.  However, if the email relates to a business matter as part of their role for the organisation, then it may not represent their personal data.

The ICO goes on to say that a DSAR only applies to the requester's personal data, not all data within an email. Business content is not automatically excluded, however.  For example, emails about business matters may still constitute personal data if the content relates to the individual making the request.  The context of the email determines whether its content qualifies as personal data; simply being copied on an email does not make the entire content personal data..

As the right of access only entitles the requester to a copy of their personal information, you must consider what information in the email is the individual’s personal data.  The information you will need to share also depends on the contents of the email and the context of the information it contains.

There is no obligation to comply with a DSAR in relation to:

• The personal data of third parties.  Requesters are entitled to their own personal data but not that of others.
• Personal data in respect of which a claim of legal professional privilege could be maintained in legal proceedings.
• Purely personal or household activity.  This covers personal information, but probably not records made personally in a work context.
• A reference given (or to be given) in confidence for employment, training or educational purposes.  The exemption covers the personal data within the reference whether processed by the reference giver or the recipient.
• Personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity, to the extent that complying with the DSAR would prejudice the conduct of the business or activity.
• Personal data consisting of records of intentions in relation to negotiations between the employer and employee, to the extent that compliance with the DSAR would be likely to prejudice the negotiations.

The Court of Justice of the European Union (CJEU) has affirmed that DSARs give individuals a broad right to access their personal data in work emails.  This includes the content of emails, internal company notes, and even logs of who accessed personal data.  However, the right is not absolute and must be balanced against the rights and freedoms of others.

The Court has consistently favoured an expansive interpretation of a data subject's right of access under the EU GDPR, which generally aligns with the ICO guidance, but includes as in-scope data any information ‘relating to’ the data subject such as:

• Personal opinions: In the EDPS v SRB case (C-2025/645), the CJEU ruled that personal opinions or views are inherently linked to the individual expressing them and therefore constitute personal data.
• Internal communications: Internal notes and communications about the data subject are considered personal data and are in scope.
• Log data: In the J.M. v Pankki S case (C-579/21), the court included log data or metadata, which are details of who accessed personal data, when, and for what purpose, as personal data.  An employer may, however, withhold the identity of employees who accessed the data if it can be justified.

While the scope is broad, the right to access is not unlimited, and organisations can withhold or redact personal data in certain circumstances.

In a notable June 2025 ruling, France's Court of Cassation (the highest judicial court) held that an employee's right to access professional emails includes both the metadata and the content of those emails.  This broadened the scope of DSARs compared to interpretations from the European Court of Justice (CJEU) and France's data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), which translates to the National Commission on Informatics and Liberty.

The French approach to DSARs is based on the GDPR and its French Data Protection Act 1978 (as amended) which complements the GDPR.  In addition to the Court of Cassation's recent clarification, the right of access includes the following key aspects:

• Individuals have the right to request a copy of their personal data being processed, as outlined in Article 15 of the GDPR and incorporated into French law.
• Access requests can be limited to protect the rights and freedoms of others or if a request is deemed ‘manifestly unfounded or excessive’.
• The CNIL actively enforces the right of access and has taken action against organisations that fail to fully respond to requests.

This ruling marks a significant shift in France's interpretation of employee DSARs, moving away from previous, more restrictive views.  Companies operating in France must now prepare for more extensive employee requests, especially in the context of employment disputes.

To comply with the new standard, employers should:

• Update their data retention policies to align with the expanded scope of access rights.
• Have clear, documented internal procedures for handling DSARs.
• Ensure they can retrieve both the content and metadata of professional emails in a timely manner.
• Conduct a case-by-case analysis of disclosure requests to balance the employee's rights with the protection of third-party data and company secrets.

As this is a decision in French courts and is an interpretation of the EU GDPR, this does not apply to UK-based employers who are UK controllers working under the scope of the UK GDPR.  It is also unlikely that this interpretation will be taken up by UK courts or used by the UK government to amend the law and extend the scope of DSARs.

The aim of the last government in introducing the Data (Use and Access) Bill was to reduce what it saw as a burden on UK businesses to comply with data protection law.  This theme was picked up by the current government, and some changes and clarifications to subject access rules were introduced in the Data (Use and Access) Act 2025.  This includes:

• The need to conduct searches that are ‘reasonable and proportionate’ to find the requested information
• A ‘stop the clock’ rule whereby the one-month response time can be paused if the organisation needs more information from the requester
• A right to complain formally to the data controller, who must have a process in place to handle these complaints
• The need to provide information in an accessible, concise, and intelligible format and disclose it securely.

However, including business emails and email metadata in a wider scope of DSARs was not included, nor was it raised during the consultation on the Bill.

For now, UK employers won’t have to take a wider view on business emails and should follow the ICO guidance.  Even in the UK, handing employee DSARs can be time consuming and costly if records are not well kept and staff are unprepared.  For a detailed breakdown of DSARs and your obligations around them, read our blog on Everything You Need to Know About DSARs.  However, below are a few top tips to help ensure your handling of employee DSARs is simple and compliant with the Regulation’s requirements:

1. Have defined processes and templates to handle DSARs, even (or perhaps especially) if you haven’t received one in the past.
2. Include information on rights and limitations for subject access in policies and employee privacy notices to manage expectations.
3. Manage employee records in a structured way and keep them in a manner such that they can be searched and extracted quickly and easily.
4. Have a retention and disposal policy to delete records in a timely and structured way when they are no longer necessary for processing.  But remember, deleting them after a request has been received is an offence.
5. Searching email accounts is difficult and yields poor results if email management is poor or if housekeeping rules are not in place or unenforced.  So, place rules on the use, management and deletion of emails.  This could include quotas on email account sizes and timed prompts to delete emails.  Best practice would be to save emails relating to an individual as an employee in the same place as the rest of their personnel records.
6. Ensure that your organisation has ready access to expertise to advise on DSARs, to redact information where exemptions apply and to present the information in a compliant way so that the requester understands how the information has been searched, assessed and why it has been withheld.
7. Don’t hesitate. You have a month to respond, so act quickly.

‍