Change to response deadline for GDPR subject access requests
- 29th August 2019
- Posted by: admin
- Category: News
The Information Commissioner’s Office (ICO) has announced that it has updated its guidance on the timescales for responding to a subject access request (SAR), as well as other individual rights requests, following a ruling by the Court of Justice of the European Union which has now been adopted by the European Data Protection Board (EDPB).
Under the GDPR, you must comply with a SAR without undue delay and in any event within one month of receipt of the request, or (if later) within one month of receipt of:
- any requested information to clarify the request;
- any information requested to confirm the requester’s identity; or
- a fee (only in certain circumstances).
You can extend the time to respond by a further two months if the SAR is complex or you have received a number of SARs from the same individual. In this case, you must let the individual know within one month of receiving their request and explain why the extension is necessary.
The updated guidance now states that you should calculate the one-month time limit from the day you receive the SAR (not from the day after receipt), whether it is a working day or not, until the corresponding calendar date in the next month. For example, if you receive a SAR on 3 September, the time limit starts from the same day and this gives you until 3 October to comply with it (not 4 October as previously understood).
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or public holiday, you have until the next working day to respond. This means that the exact number of days you have to comply with a SAR varies, depending on the month in which the request was made.
For example, if you receive a SAR on 31 March, the time limit starts from the same day. As there is no equivalent date in April, you have until 30 April to comply with the request. If 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to comply.
Source: New feed