SAR and WhatsApp Messages: Clear UK Employer Guidance

We are seeing an increase in Data Subject Access Requests (SARs) where employees ask for WhatsApp messages or content from informal group chats.

For employers, this can feel like a grey area, especially where the business does not control the platform itself. Understanding what sits within scope under UK GDPR is key.

The Information Commissioner’s Office (ICO) makes it clear that data protection law applies to personal data processed in a professional or commercial context, regardless of whether that information sits within a formal HR system or on a messaging platform.

This means employers cannot automatically dismiss WhatsApp messages as irrelevant simply because they were sent outside of email or official software.

Where an employer receives an SAR, they must consider whether they hold personal data relating to the individual.

Therefore if WhatsApp messages have been saved, relied upon, or incorporated into workplace processes, they are likely to fall within scope.

Some day nurseries, pre-schools and clubs will use WhatsApp to communicate with the team, send rotas, share updates. Where management control the WhatsApp group it is likely that the contents will form part of a SAR.

Where not controlled such as a private group between colleagues if the employer is given screenshots that it then stores within grievance or disciplinary files, messages copied into emails or reports, or chat content that has influenced a management decision.

Basically if an employer has exported messages or retained attachments on company systems, these should also be included in the search.

However, there are important limits.

Employers are not required to obtain information they never held or controlled. The law does not expect organisations to access employees’ personal phones, retrieve content directly from WhatsApp, or disclose purely private conversations that were never shared with the business. In practice, this means that private chats between colleagues on their own devices, which have no connection to workplace decision making, will usually sit outside the scope of an SAR.

Employers should also remember that disclosure is not absolute. UK GDPR allows organisations to withhold information where sharing it would adversely affect the rights and freedoms of others. This may include redacting third-party data or carefully balancing confidentiality obligations when reviewing group chat content.

The key takeaway for employers is to focus on control and purpose. If the organisation has used, stored or relied on WhatsApp messages as part of its professional activities, they may need to be disclosed. If the employer has never held the information and has no reasonable way to access it, it will usually fall outside the SAR.

Taking a structured, proportionate approach helps demonstrate compliance. Clear policies around workplace messaging, documentation practices, and decision making can also reduce uncertainty when SARs arise.

If we can assist with your compliance with a SAR request please call us on 01527 909436.

To read more of our articles across a wide array of HR and employment law topics, head to our Knowledge Centre.