SAR you ready? The timescale for data subject requests just got shorter
Aug 23, 2019
Author: Jessica Vautier
The Information Commissioner’s Office (ICO) has changed their guidance on subject access requests (SARs), as well as other data subject requests relating to their individual rights such as rectification, erasure and data portability. We have referred to them throughout as “data subject requests” or “DSRs”.
Under the previous guidance, the recipient of a DSR had to respond within 1 month, starting from the day after they received it.
However, under the new guidance, the recipient must respond to a DSR with 1 month, .
The change in guidance was announced on 15 August 2019, and is effective immediately. This gives recipient organisations 1 day less to comply with each request, even if they are mid-way through responding to a DSR. This change has the potential to catch people out, particularly those dealing with complex and time-consuming DSRs, or who have coded response times into their systems.
The “1 month” time limit is not a set number of days – the deadline to respond is the corresponding calendar day in the next month. For example, if you receive a DSR on 3 September, you must respond to it by 3 October (whereas under the previous guidance meant a deadline of 4 October).
As previously, if there is no corresponding calendar date because the following month is shorter, the deadline will be the last day of the following month. A DSR received on 30 January would therefore be due on either 28 or 29 February, depending on the year. If the deadline falls on a weekend or public holiday, the ICO guidance allows you until the next working day to respond.
According to the ICO’s announcement, the update is based on a ruling by the Court of Justice of the European Union (CJEU) from 2004, in Case C-171/03 Maatschap Toeters and M.C. Verberk v Productschap Vee en Vlees. It is unclear why a ruling from 2004 has resulted in a change to guidance in 2019 – the ICO did not wish to expand on the announcement when we asked – but although the case related to early marketing premiums for veal calves (which isn’t a usual data protection topic), it does include a ruling on the interpretation of time limits under European law (namely European Regulation 1182/71).
If you require advice or assistance in relation to subject access requests, Waterfront’s data protection team would be delighted to assist. We also advise on a range of privacy matters, from drafting policies and contracts, to assisting in the event of data breaches. You can contact our team of data protection experts on 020 7234 0200 or at firstname.lastname@example.org.
Jessica is a solicitor in our IT & Commercial team. Her specialist area is data protection and privacy law, including GDPR compliance. Jessica’s expertise includes drafting policies, privacy notices and standard data protection clauses. She also advises on data privacy impact assessments (DPIAs) and legitimate interest assessments (LIAs), as well as negotiation of data processing and data sharing agreements. Jessica is also able to carry out data protection audits. Read more.