How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • Go back-and-forth until satisfied
    Rate the answer you receive.
Ask Ed Turner Your Own Question
Ed Turner
Ed Turner,
Category: Law
Satisfied Customers: 1910
Experience:  Director and Consultant Solicitor (Self-Employed) at Ed Turner LLB Limited
Type Your Law Question Here...
Ed Turner is online now

I would like to ask a question on subject access requests

This answer was rated:

I would like to ask a question on subject access requests and what people have access to. Particularly WhatsApp on personal devices
JA: Where are you? It matters because laws vary by location.
Customer: UK
JA: What steps have you taken so far?
Customer: none
JA: Is there anything else the Lawyer should know before I connect you? Rest assured that they'll be able to help you.
Customer: not that I can think of

Hello.   I am Ed, a Solicitor qualified in England & Wales with over a decade’s experience in the legal profession advising clients.

I specialise in Commercial Contracts, Business Transactions, Employment, Dispute Resolution, Personal Injury and Road Traffic Law and shall be reviewing your legal problem today.

Regarding the site’s automatic offer of a Premium Service Phone Call, I shall be delighted to talk with you by phone to discuss your issue in greater detail if you accept the offer.

However, if you do not want a phone call, please cancel the offer for a Premium Service Phone Call and you will not be charged extra.

Customer: replied 10 days ago.
Hi Ed, thanks fir your time.
Customer: replied 10 days ago.
My query concerns Subject data acces requests and what we are inclined to handover and what we are not

If the other party as Data Controller and/or Data Processor has incorrectly Processed your Personal Data as a Data Subject in leaking it to other parties without a proper reason and is therefore in breach of the Data Protection Act 2018 of England & Wales (“DPA”) and the EU’s General Data Protection Regulation (“GDPR”).

The UK’s Data Protection Regulator is the Information Commissioner’s Office (“ICO”).   Their website contains much useful guidance which is in plain English for a non-lawyer to understand:

The other party as a Data Controller and/or a Data Processor must adhere to the Seven Key Principles of Data Protection Law:

1.  Lawfulness, Fairness, and Transparency.

2.  Purpose Limitation.

3.  Data Minimisation.

4.  Accuracy.

5.  Storage Limitation.

6.  Integrity and Confidentiality (Security).

7.  Accountability.

In leaking your Personal Data, the other party would be in breach of the Principles of Lawfulness, Fairness, and Transparency, Data Minimisation, Accuracy, Storage Limitation and Accountability at the very least.

Furthermore, a Data Controller and Data Processor must only Process Personal Data if they have a Lawful Basis for so doing:

1.  Consent: the Data Subject has given clear consent to process Personal Data for a Specific Purpose.

2.  Contract: the Processing is necessary for a contract that the parties have entered into, or requested specific steps before entering into a contract.

3.  Legal Obligation: the Processing is necessary to comply with the law (not including contractual obligations).

4.  Vital Interests: the Processing is necessary to protect someone’s life.

5.  Public Task: the Processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

6.  Legitimate interests: the processing is necessary for the parties’ legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s Personal Data which overrides those legitimate interests.

It appears that the other party has Processed your Personal Data without any Lawful Basis.

As a Data Subject you have rights under the DPA and GDPR in respect of Data Breaches by a Data Controller/Processor:

1.  Right to be Informed.

2.  Right of Access.

3.  Right to Rectification.

4.  Right to Erasure.

5.  Right to Restrict Processing.

6.  Right to Data Portability.

7.  Right to Object.

8.  Rights in relation to Automated Decision Making and Profiling.

You must therefore assert your Rights of Access, Rectification, Restriction of Processing and to Object with the other party.  I suggest that you send a formal written Request to the Data Controller/Data Processor asserting your rights as Data Subject that they correctly Process your Personal Data.

If you do not receive a satisfactory response from the other party after 28 days, I suggest that you report the other party to the ICO and they may investigate the matter and issue a written warning to the other party and threaten an investigation or a fine if they do not take action to minimise the Data Breach and damage.

There is useful guidance on Data Breaches on the ICO’s website:

I hope this resolves your enquiry.   Please revert to me if you require any clarification of my answer to your question and I shall be delighted to assist.

Kind regards


Customer: replied 10 days ago.
Cutting a very long story short, a former staff member at the company I work for has submitted a subject data access request. We do not have work phones, we (the staff) all use WhatsApp
Customer: replied 10 days ago.
Does someone who submits a request like this have access to private WhatsApp conversations
Customer: replied 10 days ago.
Essentially, what does he have the right to see and not see

If the discussions were on work-related activities, then yes.

Customer: replied 10 days ago.
But none related work stuff, for example, personal feelings about this individual?
Customer: replied 10 days ago.
if someone said they thought this person was lazy (not me), would that be required to be turned over

If the comments are directed at their performance at work, then yes.

I have answered your questions as far as I am able to on the Portal.   Obviously, there is a limited amount of advice I can give based on a few lines of text on the Just Answer instant messaging Portal.  Very often the best I can do is “point you in the right direction” for the sake of seeking more detailed advice.

If you want further bespoke advice, I need to review all relevant correspondence and documents and advise in a telephone call.

I will place an offer of a Premium Service Phone Call Request through on the Portal.  If you do not want this additional service, I wish you all the very best in resolving this matter and of course for safely navigating the current “choppy waters” in which we all find ourselves.

Kind regards


Ed Turner and other Law Specialists are ready to help you
Customer: replied 10 days ago.
Ok thanks