Under privacy law, employees can ask to see the monitoring data you hold on them. Being ready to answer a subject access request is both a legal duty and a test of how disciplined your program is.

A data subject access request, or DSAR, lets an individual ask what personal data an organization holds about them and receive a copy. Because monitoring generates personal data, employees can use a DSAR to see their monitoring records, and you must respond within set rules. This guide explains how DSARs apply to monitoring data, what employees can request, how to respond, and why data minimization makes the whole process easier.

What is a subject access request?

A data subject access request is the right of an individual to ask what personal data an organization holds about them, why, and to receive a copy. It exists under GDPR and similar laws worldwide, and it applies to employees as much as to customers. Monitoring data is personal data, so it falls within scope.

For employers that monitor, this means staff can ask to see the activity, time, and other records held on them. Treating DSARs as a normal part of a monitoring program, rather than a surprise, is part of the lawful basis covered in the GDPR monitoring guide.

How DSARs apply to monitoring data

Because monitoring records relate to an identifiable person, they are personal data and subject to access rights. An employee can request the monitoring data held about them, including activity logs, time records, and, where applicable, screenshots, within the limits the law allows.

This is one reason a disciplined approach to data governance matters: you can only respond well to a DSAR if you know what monitoring data you hold, where it is, and how to retrieve it for one person. Good governance turns a DSAR from a scramble into a routine task.

What employees can request

Through a DSAR, an employee can typically ask for a copy of the personal data held about them, confirmation of what is processed and why, the categories of data, who it is shared with, how long it is kept, and the source. For monitoring, that maps to their activity and time records and the purpose of collection.

What they are entitled to is their own data, not a window into others. Responding usually means extracting one person records and, importantly, redacting any third-party data that appears alongside, consistent with the boundaries in what monitoring collects.

How to respond to a DSAR

Responding has a clear shape: verify the requester identity, locate all monitoring data about them, review it for third-party information to redact, and provide a copy in an accessible format within the legal deadline. Documenting each step protects you if the response is later questioned.

The work is mostly retrieval and review, which is why knowing your data landscape in advance matters so much. A program where monitoring data is organized, time-bound, and minimal makes a DSAR a manageable task; one where data is sprawling and unstructured makes it a serious burden.

eMonitor — DSAR

Access Request Readiness

30 days

Response window

Per-user

Retrieval

Minimal

Data held

Short

Retention

Time to fulfil a request

Map

Retrieve

Redact

Review

Deliver

Activity mix

Retrievable96%

Redacted3%

Withheld1%

▲ Minimal collection cut the data to review per request by a third.

Illustrative eMonitor dashboard.

Timelines and limits

Most regimes set a response deadline, commonly one month under GDPR, extendable for complex requests, and usually require the first copy to be provided free. Missing the deadline is itself a compliance failure, so tracking DSARs and their due dates is essential.

There are limits too. You may withhold data that would reveal third parties, certain legally privileged material, or information covered by specific exemptions, and you can push back on manifestly excessive or repetitive requests. Knowing both the duties and the limits keeps responses correct, and local specifics are in the legal guide.

Good practice around DSARs

The organizations that handle DSARs smoothly are the ones that prepared. They have a defined process, a known data map, sensible retention so old data is already deleted, and a clear owner for requests. When a DSAR arrives, they follow a routine rather than inventing a response under time pressure.

Preparation also signals good faith to employees. A program that can answer what do you hold on me promptly and clearly demonstrates that monitoring is bounded and accountable, reinforcing the trust that transparency builds. A DSAR handled well is a trust opportunity, not just an obligation.

Why data minimization helps

The single biggest factor in easy DSAR responses is collecting and keeping less. If monitoring captures only what it needs and deletes it on a short schedule, there is simply less data to find, review, and hand over, and less risk of exposing third parties in the process.

Minimization and sensible retention, the discipline behind data retention and offboarding, make DSARs lighter and lower the stakes of every request. The same restraint that respects privacy day to day pays off directly when someone exercises their access rights.

Best practices for DSAR readiness

A few practices keep you ready for monitoring DSARs:

• Map what monitoring data you hold, where, and why.
• Define a DSAR process with a clear owner.
• Collect only the monitoring data you genuinely need.
• Set short retention so old data is already deleted.
• Be able to retrieve one person records cleanly.
• Redact third-party data before disclosing.
• Track request deadlines and respond on time.
• Document each response in case it is questioned.

The thread through all of this is that DSAR readiness is mostly a by-product of running a disciplined monitoring program. Minimal collection, clear governance, and short retention make access requests straightforward almost as a side effect, while a sprawling, poorly understood data estate makes every request painful and risky.

It also helps to fold DSAR rights into how you communicate monitoring in the first place. Telling employees up front that they can request their data, and that you will respond, makes the right feel like part of a fair program rather than a confrontation, and it sets expectations that make the occasional request routine on both sides.

Getting DSAR-ready

Begin by mapping the monitoring data you hold and confirming you can retrieve all of one person records without a major effort. If that is hard today, it is a sign your collection or retention is broader than it should be, which is worth fixing for privacy reasons as much as for DSARs.

Write a simple DSAR process, assign an owner, and align it with your retention schedule so old data is routinely deleted rather than waiting to be requested. A short rehearsal, responding to a test request, reveals any gaps before a real one arrives under a deadline.

Tell employees about their access rights as part of how you communicate monitoring, so the right is understood and the occasional request is routine. Readiness here is mostly the natural result of a minimal, well-governed program, so tightening collection and retention does double duty.

DSAR-friendly monitoring with eMonitor

eMonitor supports DSAR readiness through disciplined data handling: minimal collection by default, clock-in-only scope, role-based access, encryption, and clear records that can be retrieved per user, with GDPR-ready controls and SOC 2 Type II certification. Trusted by 1,000+ companies worldwide and rated 4.8/5 on Capterra and G2.

At $3.90 to $13.90 per user with a 7-day free trial, it keeps the monitoring data footprint small and organized, so responding to an access request is a routine task rather than a burden. Collecting less, and knowing exactly what you hold, is the foundation of meeting access rights with confidence.