ICO updates GDPR guidance on deadline for responding to subject access requests

Back to HubNext ArticlePrevious Article

ICO updates GDPR guidance on deadline for responding to subject access requests

To share this article:

EmailTwitterLinkedIn

One month limit for response now includes the day the request was received.

The Information Commissioner’s Office (“ICO”) has changed its guidance on how much time data controllers have to respond to data subject access requests (“SARs”).

 

“Subject access request” is a term used to describe any request from an individual to an organisation under the General Data Protection Regulation (“GDPR”) for confirmation that it holds personal data about her, access to that data and to certain information prescribed by law about the source, uses of and onward transmission of that data.  

 

A SAR can arise when any request is made relating to personal data held by an organisation, and the individual need not mention the GDPR for the organisation to be legally obliged to respond. 

 

Under Article 12(3) of the General Data Protection Regulation, controllers must respond to a SAR (providing a full response or justifying any extension) without undue delay and in any event within one month - a strict deadline which, if not met, can result in a GDPR breach and potential fines.

 

Previous ICO guidance stated that the “one month” did not include the date the SAR was received.  Following a recent European court case, this has been revised:  the day of receipt is now the first day of the one-month period to respond to a SARA response must therefore be given on or by the corresponding calendar date in the next month.

 

Data Protection Officers and persons with responsibility for data protection compliance should ensure internal procedures for SAR responses are appropriately updated.  They should also consider providing updates to personnel involved in handling SARs.

 

The ICO’s revised guidance is now available from the ICO at:

https://ico.org.uk/for-organisations/guide-to-data-protection/whats-new/

 

PDT’s data protection team would be pleased to assist if you have any questions about making or responding to SAR requests. Please contact Ian or Victoria with your enquiry.

The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. PDT Solicitors LLP accepts no responsibility for the content of any third party website to which this webpage refers.

Back to HubNext ArticlePrevious Article

Related Content

PDT Solicitors Accredited and Award Winning

C

This site uses cookies.

Some of these cookies are essential, while others help us to improve your experience by providing insights into how the site is being used.

Necessary Cookies

Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.

Analytical Cookies

Analytical cookies help us to improve our website by collecting and reporting information on its usage.

X