Legal Matters by Charlotte Higgins, Bell & Buxton
The company and commercial solicitor with guidance on personal data compliance
Since the introduction of the General Data Protection Regulation (EU 2016/679) – GDPR to you and I – subject access requests have been on the rise.
Whether an employer or a supplier of goods and services, if you hold personal data that relates to an identified or identifiable individual, they have the right to access their personal data.
Receiving a subject access request, the organisation has one month to respond to that request. It is therefore advisable for organisations to have a policy in place which sets out how to identify a subject access request and understand when the right of access applies. Staff training should also be provided.
In the ICO (Information Commissioner’s Office)’s original guidance, its advice was for organisations to respond “without undue delay, and within one month, starting from the day after you receive the request”.
The ICO has issued further guidance and clarification surrounding the time frame for responding, and it now says that the one month time frame starts on the day of receipt of the request.
This means that if the subject access request is received on 12 March, the time limit starts from the same day. This gives the organisation until 12 April to comply with the request. If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This (belated) change by the ICO is to reflect a 2004 decision from the Court of Justice of the European Union (Case C-171/03 Maatschap Toeters and M.C. Verberk v Productschap Vee en Vlees). This judgment considered Article 3 of European Regulation 1182/71 on the rules applicable to time periods set out in acts of the Council of the European Union and the European Commission.
There are circumstances where the time limit can be extended by two months, bringing the maximum timeframe for responding to three months, in the circumstance where the request is complex or you have received a number of requests from the individual, and on the proviso you have notified the data subject of the extension during the initial one month deadline.
Following this amended guidance, data controllers should review and update their subject access request policies and procedures to ensure continued compliance with their data protection obligations.
Have you received a subject access request from an individual? Please contact Charlotte Higgins on 0114 249 5969 for more advice about how to respond.