Skip to content

Farrer & Co | What difference does a day make (when dealing with data subject access requests)?

Following a ruling of the Court of Justice of the European Union in the case of Maatschap Toeters and other v Productschap Vee en Vlees, the Information Commissioner’s Office (ICO) issued an announcement on 15 August 2019 in relation to the timescales for responding to data subject access requests. In the announcement the ICO confirmed that:

“We have updated our guidance on timescales for responding to a subject access request (SAR), as well as other individual rights requests. The timescale has now changed to reflect the day of receipt as ‘day one’, as opposed to the day after receipt. For example, a SAR received on 3 September should be responded to by 3 October.”

Whilst a small change on the face of it, it is an important one for data controllers wishing to avoid any criticism for failing to comply with their relevant obligations.

Whilst the example above is based on a one month response time, it is worth remembering that there is scope to extend the time for responding to subject access requests where the request is complex or you have received a number of requests from one individual. Where you are seeking to rely on this extension, the individual making the request must be informed within a month of their request having been received, with an explanation for the extension also being provided.

On a separate but tangentially related matter, it is also worth flagging that PwC was recently fined €150,000 by the Greek equivalent of the ICO for (i) processing employee personal data, based on consent when other lawful basis for processing were more applicable and (ii) for failing to properly document their lawful basis for processing. Whilst not a matter brought by the ICO, this does emphasise the need to move away from consent as a basis for processing employee personal data and the need to set out what the lawful basis for processing is in a clear and accessible privacy notice.

If you require further information about anything covered in this blog, please contact David Hunt, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, September 2019

This site uses cookies to help us manage and improve the website and to analyse how visitors use our site. By continuing to use the website, you are agreeing to our use of cookies. For further information about cookies, including about how to change your browser settings to no longer accept cookies, please view our Cookie Policy. Click for more info