Subject access requests – how quickly should I reply?
The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).
Under Article 12 of the GDPR a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request”. Previous guidance stated that this one month time limit should be calculated from the day after the SAR is received.
This guidance has now been updated to make clear that when calculating the one month time limit, the period starts on the day of receipt (rather than the day after receipt) and runs until the corresponding calendar date in the following month.
For example, if a SAR was received on 21 September, the response deadline would be 21 October. If the request is received on a day which does not have a corresponding date in the following month, the response is due on the last day of the following month. So, if a request is made on 31 August, the last day for responding is 30 September. If this date falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.
For practical purposes, the ICO suggests that if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Data controllers are able to extend the time to respond by a further two months if the request is complex or if a number of requests have been received from an individual. The data controller must inform the individual of the extension, and the reason for it, within one month of receiving the request.
These changes rather belatedly follows a 2014 ruling by the Court of Justice of the European Union (CJEU) in Maatschap Toeters and M. C. Verberk v Productschap Vee en Vlees (Case C-171/03) which considered the rules applicable to time frames in European Community legislation.
The updated ICO guidance can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
We recommend that organisations ensure that their data protection policy properly explains its procedure for handling subject access requests. If you would like any assistance with updates to your policies, please contact Charlotte Burroughs.