This Practice Note examines data subject access requests (DSARs) under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR) and the Data Protection Act 2018 (Ireland) (DPA 2018 (IRL)). DSARs allow individuals, including employees, to access personal data held by controllers to verify the lawfulness of processing. They are the most frequent basis for complaints to the Irish Data Protection Commission (DPC). The note outlines employers’ obligations when receiving DSARs, including timelines, scope, and form of responses, as well as restrictions and rights to rectification and erasure. It also considers guidance from the DPC and the European Data Protection Board on practical compliance in the employment context.