The Information Commissioner’s Office (ICO) has changed their guidance on subject access requests (SARs), as well as other data subject requests relating to their individual rights such as rectification, erasure and data portability. We have referred to them throughout as “data subject requests” or “DSRs”.
So what’s changed?
Under the previous guidance, the recipient of a DSR had to respond within 1 month, starting from the day after they received it.
However, under the new guidance, the recipient must respond to a DSR with 1 month, starting from the day of receipt.
When do the changes take effect from?
The change in guidance was announced on 15 August 2019, and is effective immediately. This gives recipient organisations 1 day less to comply with each request, even if they are mid-way through responding to a DSR. This change has the potential to catch people out, particularly those dealing with complex and time-consuming DSRs, or who have coded response times into their systems.
So how long does that mean I have to respond?
The “1 month” time limit is not a set number of days – the deadline to respond is the corresponding calendar day in the next month. For example, if you receive a DSR on 3 September, you must respond to it by 3 October (whereas under the previous guidance meant a deadline of 4 October).
As previously, if there is no corresponding calendar date because the following month is shorter, the deadline will be the last day of the following month. A DSR received on 30 January would therefore be due on either 28 or 29 February, depending on the year. If the deadline falls on a weekend or public holiday, the ICO guidance allows you until the next working day to respond.
Why the change now?
According to the ICO’s announcement, the update is based on a ruling by the Court of Justice of the European Union (CJEU) from 2004, in Case C-171/03 Maatschap Toeters and M.C. Verberk v Productschap Vee en Vlees. It is unclear why a ruling from 2004 has resulted in a change to guidance in 2019 – the ICO did not wish to expand on the announcement when we asked – but although the case related to early marketing premiums for veal calves (which isn’t a usual data protection topic), it does include a ruling on the interpretation of time limits under European law (namely European Regulation 1182/71).
The Information Commissioner’s Office (“ICO”) has made a provisional decision to fine a software provider more than £6 million. If the provisional decision is confirmed, it would mark the first case where the ICO impose a monetary penalty notice on a processor under the UK General Data Protection…
Data breaches: Is personal data held in your systems secure?
European Commission launches process on personal data flows to UK
In these working from home days, where weekdays seem to blend into weekends which melt into weekdays again, most of us don’t have the luxury of offices at home. Space is at a premium. Desks or dining room tables are shared. Papers are strewn across the floor. We…