To what extent do employers need to comply with the GDPR when processing immigration data?

Requests for personal information are often received by employers. However, in light of the General Data Protection Regulations 2018 (GDPR), employers may be unsure whether they are allowed or required to provide it.

European laws enshrine rights to privacy and protection of personal data. These rights are supplemented by the Data Protection Act 2018. Article 23 of the GDPR provides circumstances when member states may enact their own laws to restrict these rights. The legislation provides an exemption where personal data is processed to ensure effective immigration control. In practice the exemption gives Boarder Control the right not to provide certain immigration data to the subjects of that data where they request it, if in doing so, it would be likely to prejudice the immigration processing purpose. Clearly this is controversial as the data subject may have a distinct interest in seeing it and knowing what data is held about them, particularly when, as admitted by the Chief Inspector of Boarders, there is a 10% approximate error rate in the information which immigration decisions may be based.

A claim was brought by the Open Rights Group. It argued the immigration exemption was unlawful and that disclosure of immigration information held should be required rather than be exempt from disclosure under U.K law. Open Rights further argued that failure to disclose the information held was a breach of human  rights.

The defendants argued that the immigration exemption was lawful and meant information could therefore be held and not disclosed by an organisation on this ground rather than on more serious grounds i.e. to prevent criminal activity thus de-stigmatising the immigration issue. The Information Commissioner’s Office agreed with the defendants and submitted that statutory guidance would also assist in making the exemption proportionate.

The High Court ruled that the immigration exemption was lawful and “plainly a matter of important public interest”. There was nothing unlawful about controllers processing immigration data without complying with GDPR but only to the limited extent that it is necessary to ensure effective immigration control. The Judge went on to say that there was nothing unlawful about other data controllers also being able to process such data for specific purposes.

Employers will be familiar with processing immigration data for candidates and employees. As such it is possible to envisage situations where an employer faced with a request for immigration information may potentially wish to rely on this exemption rather than disclose information. However, watch this space as it is understood the decision may be appealed.

Here at Lupton Fawcett we have expertise in Immigration, Data and Employment law and provide both training and advice. For further information about any of the issues raised, please don’t hesitate to contact Angela Gorton.

Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.