We never get DSARs from employees. Why would we need this?

Most HR teams don't — until a grievance escalates, an investigation goes sideways, or a leaver asks for everything you hold. The risk isn't volume. It's that the one request you do get is time-bound, sensitive, and routinely produces complaints when handled in email. A documented process beats improvising under a deadline.

Does Ghost replace our HRIS, ATS, or payroll system?

No. The HRIS stays the system of record for the employment relationship. Ghost lives in the moment a DSAR lands — pulling exports from HR systems together, redacting third-party detail, assembling the response pack, and logging what was sent. The originating systems remain authoritative.

Can our employment lawyer or DPO sit alongside this?

Yes. Invite them as a member with the right role — Operator to handle cases, Read-only for review. Most employment lawyers and DPOs prefer a clear case log to advise on rather than reconstructing a chain of emails after the fact.

How does the one-month deadline work?

The Article 12 clock starts when you have enough information to identify the request. Ghost tracks the deadline on every case from the day it's logged and surfaces the response window on the case header. Where complexity justifies an extension under Article 12(3), you can record the extension and the rationale — auditably.

How much does it cost?

Free: 1 active case, manual redaction up to 5 pages per file, 10 redactions per month. Solo DPO is €49/month for one user; DPO Team is €149/month with up to 10 seats, AI-assisted redaction, the audit log, and the Article 30 register. Annual billing saves ~20%.

Ghost

For HR and people operations

Employee DSARs,
answered without losing the file.

Q: Can we redact peer feedback and manager notes inside a performance file?

Yes. Ghost lets you redact named third parties, peer references, and witness statements line by line, with the rationale captured next to each decision. AI-assisted detection (on Solo DPO and DPO Team) surfaces names and identifiers as candidates; you accept, reject, or refine. The audit log records who made which decision and when.

Grievance correspondence names colleagues. Performance notes reference peers. Witness statements name witnesses. Ghost is the workspace where the third parties come out and the meaning stays in — under the one-month deadline, on the record.

EU-hosted · Append-only audit log · Manager notes redacted, decisions logged.

Start 30-day free trial Try the redaction demo

Ghost — Employee DSAR

Ghost privacy request workspace: case detail with identity verification, tasks, and documents

1 month

Article 12 response window

Article 30

Records of processing

Article 88

Employment-context rules

Hosted infrastructure

The HR DSAR workflow

Pull. Redact peers. Disclose. Evidence.

An employee — or a leaver, or a rejected candidate — asks for everything you hold. The data is spread across HRIS, ATS, payroll, the performance tool, and a manager's inbox. The work is what happens after the export. Four steps; one workspace.

Step 01

Log and verify

Intake through a branded form, verify identity before any disclosure, and start the Article 12 clock from the moment the request is identifiable.

Step 02

Pull from every system

Export from the HRIS, the ATS, payroll, the performance tool, and the manager's inbox. Ghost holds the case; the HR systems remain the systems of record.

Step 03

Redact third parties

Mask colleagues, witnesses, and peer references. Capture the rationale next to each decision. AI-assisted detection on Solo DPO and DPO Team; manual redaction on every plan.

Step 04

Deliver and evidence

Send via a signed, time-limited link. Keep an append-only audit trail of every step — intake, identity check, redaction, delivery — exportable as evidence when legal or the ICO asks.

Privacy request manager

The clock starts the moment HR logs it.

Branded intake for employees, leavers, contractors, and rejected candidates. Identity verification before disclosure. Task assignment across HR operations, HRBPs, and the recruitment team. Article 12 deadlines tracked automatically.

Branded intake for employees, leavers, candidates
Identity verification before any disclosure
Tasks assignable across HR ops, HRBPs, recruiting
Article 12 deadline tracked automatically

Explore privacy requests

Ghost — Privacy request manager

Ghost privacy request workspace showing intake, identity verification, tasks, and documents on a single case

Redaction in HR files

Peer names out. The meaning stays in.

Upload grievance correspondence, performance notes, investigation files, witness statements. Ghost detects names, identifiers, contact details and proposes redactions. You accept, reject, or refine — and the rationale lands in the audit log next to the redaction.

PDFs, CSV exports, scanned documents
AI-assisted PII detection on Solo DPO and DPO Team
Client-side rendering — files stay in your browser
Rationale captured next to every redaction decision

Try the redaction demo

Ghost — AI-assisted redaction

Ghost redaction workspace with AI-detected PII boxes ready for review on a PDF

Audit log and Article 30 register

What was sent, who decided, when — already on the record.

Every disclosure, every redaction, every retention action — append-only, timestamped, attributable. Records of processing for recruitment, onboarding, payroll, performance, learning, occupational health, and leaver data. The evidence legal and the ICO ask for is already written down.

Append-only timeline per case
Article 30 register across the HR processing landscape
Lawful basis and retention period on every activity
Audit pack export when legal or the ICO asks

Inside the Compliance Hub

Ghost — Compliance Hub

See it end to end

A short walk-through of the workspace.

Redaction, privacy requests, and the audit log — in about three minutes.

Ghost — Product tour

More walkthroughs and guides

What HR teams ask us first

Three questions every people-ops team raises.

“We hardly ever get these.”

Most HR teams don't, until a grievance escalates or a leaver writes. The risk is that the one request that arrives is time-bound and visible to a regulator. A documented process now caps the damage.

“Our HRIS handles GDPR.”

The HRIS stores records. Ghost lives in the moment an employee asks for them — pulling exports together, redacting peer references, assembling the pack, and logging what was sent.

“What about works councils and Art. 88?”

Employment-context processing is regulated differently across member states. Ghost gives HR a single operational record across jurisdictions; the local rules live with your employment lawyer or DPO.

Pricing

Plans for HR teams of every size.

Start free. Move up when DSAR volume or complexity makes a shared inbox untenable.

Free

Run a single DSAR end-to-end before you commit.

€0/forever

1 active case
Manual redaction (PDF, up to 5 pages/file)
10 redactions per month
1 Article 30 register entry

Solo DPO

For an HR lead or DPO running the privacy programme themselves.

€49/month

Unlimited cases and redactions
AI-assisted PII detection
Article 30 register + append-only audit log
€39/mo billed annually (save 20%)

Start 30-day trial

DPO Team

For HR ops, HRBPs, and the DPO sharing the response work.

€149/month

Up to 10 seats (€10/extra seat)
Role-based access (Admin, Operator, Read-only)
Outbound webhooks for SIEM / chat / ITSM
Retention schedules per HR data category
€119/mo billed annually

Start 30-day trial

Compare every feature on the full pricing page.

Redacting HR documents under GDPR

A practical guide to redacting grievance, performance, and investigation files — written for HR teams who actually have to do it on a deadline.

Read the guide

FAQ

Frequently asked questions

The next employee DSAR is one resignation letter away.

Get the process up before it lands. 30-day free trial — no credit card, EU-hosted.

Start Free Trial

The regulatory landscape HR teams operate in

Employee personal data sits under the general regime of Regulation (EU) 2016/679 (GDPR), with the right of access under Article 15, the one-month deadline under Article 12, and the processing-record obligation under Article 30 all applying. In the UK the Data Protection Act 2018 sets the domestic regime, supervised by the ICO; the Employment Rights Act 1996 and related workplace legislation determine what HR records must be kept, and for how long.

GDPR Article 88 permits member states to lay down more specific rules for processing in the employment context. The CNIL in France, the BfDI together with the Länder authorities in Germany (where works councils typically have a co-determination role), the ICO in the UK, and other authorities each publish their own employment guidance.

HR operations is where these obligations land in practice, but legal advice usually sits elsewhere — the in-house employment lawyer, the DPO, or external counsel. Ghost is built to support that split: HR runs the operational response, legal advises on the edge cases, and the audit log records what was decided. Ghost does not provide legal advice.

Employee DSARs,
answered without losing the file.

EU-hosted · Append-only audit log · Manager notes redacted, decisions logged.

Employee DSARs, answered without losing the file.