How to Redact Employee Records — GDPR-Compliant in 5 Steps
How to protect third-party data in subject access requests under Art. 15 GDPR
Why do employee records need to be redacted?
GDPR subject access requests require the protection of third-party data
Art. 15 GDPR: Right of Access
Every data subject has the right to receive a complete copy of their stored personal data. Employers must comply with this request within one month.
Former employees request data
Particularly after terminations or settlement agreements, former employees regularly request access to their personnel files. In many cases, this serves to prepare employment law proceedings.
Third-party data must be protected
Employee records regularly contain data about colleagues, supervisors and external persons — for example in appraisals, emails or salary comparisons. This third-party data must not be disclosed.
5 Steps to GDPR-Compliant Redaction
A structured process for legally sound results
Collect all relevant documents
Identify and gather all documents from the personnel file: employment contract, email correspondence, appraisals, warnings, memos, payslips, sick notes and references. Check both the digital archive and physical folders as well as email inboxes.
Identify third-party data
Systematically review each document and flag all information that could reveal details about other individuals: names of colleagues, salaries of other employees, assessments by supervisors, contact details of external persons and internal notes referencing third parties.
Create a redaction project and define rules
Set up a redaction project in Docuflair and define rules for which data types should be automatically detected and redacted. Use the Active Directory integration to import employee names and organisational structures as redaction criteria.
Redact automatically and review manually
Let Docuflair apply the defined rules to all documents. Then review the results manually: Were all third-party data captured? Were the data subject's own data correctly preserved? Adjust the redactions as needed.
Export selectively
Export the redacted documents as PDF. Docuflair enables different export versions depending on the recipient — for example, a fully redacted version for the data subject and an internal version with fewer redactions for the legal department.
Typical Case: Termination and Subject Access Request
A practical scenario from everyday HR operations
An employee is dismissed after 8 years of service. Two weeks later, a letter from their solicitor arrives: a subject access request under Art. 15 GDPR — a complete copy of all stored personal data.
The personnel file comprises over 500 emails, dozens of appraisal forms, payslips, sick notes, internal memos and minutes from employee meetings. These documents are filled with data about colleagues, supervisors and external consultants throughout.
The challenge: within the statutory deadline of one month, all third-party data must be identified and redacted — without removing the data subject's own data. Manually, this would take several working days. With Docuflair Redact, the process can be reduced to just a few hours.
What must not be redacted?
Limits of redaction in GDPR subject access requests
The data subject's own data
All personal data relating to the requesting person must be provided in full and unredacted. This includes: name, salary, appraisals about the person, warnings, working hours and sick days.
Assessments about the person
Subjective evaluations and assessments relating to the data subject also fall under the right of access — even if they were written by a supervisor. Only the identity of the assessor may be redacted in certain cases.
Time Required: Manual vs. Automatic
Comparison of redaction methods for a typical personnel file
| Criterion | Manual | With Docuflair Redact |
|---|---|---|
| Time required (500 documents) | 3 - 5 working days | 2 - 4 hours |
| Error rate | High (fatigue, oversights) | Low (rule-based) |
| Consistency | Variable | Consistently high |
| Traceability | Difficult to document | Complete audit log |
| Scalability | Increases linearly | Nearly constant |
| Different export versions | Requires another pass | Selectable per click |
Redact employee records with confidence
See in a personal demo how Docuflair Redact accelerates your GDPR subject access requests.
Frequently Asked Questions
Answers to the most important questions about redacting employee records
Do I have to hand over an employee file in response to a GDPR subject access request?
Yes. Under Art. 15 GDPR, every data subject has the right to access their stored personal data. You must provide a copy of the data — however, personal data of third parties must not be disclosed. This information must be redacted before handover.
How long do I have to respond to a GDPR subject access request?
The deadline is one month from receipt of the request (Art. 12(3) GDPR). In complex cases, the deadline can be extended by a further two months, provided the data subject is informed of the extension within the first month.
Can Docuflair automatically redact employee records?
Yes. Docuflair Redact automatically detects personal data such as names, email addresses and salary information and redacts them based on defined rules. Through Active Directory integration, redaction rules can be derived directly from the organisational structure. Manual review is still recommended.