16th August 2019
On 15 August 2019, the Information Commissioner’s Office (ICO) issued updated guidance on the timescales for responding to a data subject access request (DSAR) following a recent ruling of the Court of Justice of the European Union.
The general rule is that DSARs must be complied with without undue delay and at the latest within one month of receipt. The day of receipt of the DSAR will now be counted as day one, instead of the day after receipt. In the ICO’s example, this means that an organisation receiving a DSAR on 3 September has until 3 October to comply.
If there is no corresponding calendar date in the following month, the date for responding will be the last day of the following month. In the ICO’s example, this means that an organisation receiving a DSAR on 31 March has until 30 April to comply.
It makes no difference to the calculation as to whether the day of receipt is a working day or a non-working day. However, where the calculated date for complying with the DSAR falls on a weekend or public holiday, the organisation has until the end of the next working day to respond.
In light of this change, data controllers should review and revise their data protection and DSAR policies and any other documentation/notifications that reference the timescales for a response, including privacy notices. Relevant staff within the organisation will need to be notified of the change. Controllers should also review their arrangements with any data processors to ensure that the change is suitably addressed.