Just like its predecessor (DPA 2018), the General Data Protection Regulation (GDPR) gives Data Subjects a right to make a Subject Access Request (SAR) to a Data Controller. This means that they can obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information
The supplementary information mentioned above is the same as under section 7 of the DPA (e.g. information about the source and recipients of the data) but now also includes, amongst other things, details of international transfers, other Data Subject rights, the right to lodge a complaint with the ICO and the envisaged retention period for the data.
The DPA allowed Data Controllers 40 calendar days to respond to a SAR. Under GDPR Article 12, the requested information must be provided “without undue delay and in any event within one month of receipt of the request”. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, the Data Subject must be contacted within one month of the receipt of the request with an explanation of why the extension is necessary.
When does the one month to respond start from?
Previously the ICO guidance stated that the day after receipt counted as ‘day one’. This has now been revised following a Court of Justice of the European Union (CJEU) ruling.
It says that Data Controllers should calculate the time limit from the day they receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. For example, a Data Controller receives a request on 3rd September. The time limit will start from the same day. This gives the Data Controller until 3rd October to comply with the request.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Data Controllers have until the next working day to respond.
This means that the exact number of days Data Controllers have to comply with a request varies, depending on the month in which the request was made. For example, an organisation receives a request on 31st March. The time limit starts from the same day.
As there is no equivalent date in April, the Data Controller has until 30th April to comply with the request. If 30th April falls on a weekend, or is a public holiday, the Data Controller has until the end of the next working day to comply.
The ICO says that, for practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Data Controllers need to consider the implications of the revised ICO guidance on their SAR procedures and standard response letters.
You may also be interested in Susan’s Wolf’s blog on the latest case on subject access for paper records.