Skip to content

What difference does a day make (when dealing with data subject access requests)?

Insight

files

Following a ruling of the Court of Justice of the European Union in the case of Maatschap Toeters and other v Productschap Vee en Vlees, the Information Commissioner’s Office (ICO) issued an announcement on 15 August 2019 in relation to the timescales for responding to data subject access requests. In the announcement the ICO confirmed that:

“We have updated our guidance on timescales for responding to a subject access request (SAR), as well as other individual rights requests. The timescale has now changed to reflect the day of receipt as ‘day one’, as opposed to the day after receipt. For example, a SAR received on 3 September should be responded to by 3 October.”

Whilst a small change on the face of it, it is an important one for data controllers wishing to avoid any criticism for failing to comply with their relevant obligations.

Whilst the example above is based on a one month response time, it is worth remembering that there is scope to extend the time for responding to subject access requests where the request is complex or you have received a number of requests from one individual. Where you are seeking to rely on this extension, the individual making the request must be informed within a month of their request having been received, with an explanation for the extension also being provided.

On a separate but tangentially related matter, it is also worth flagging that PwC was recently fined €150,000 by the Greek equivalent of the ICO for (i) processing employee personal data, based on consent when other lawful basis for processing were more applicable and (ii) for failing to properly document their lawful basis for processing. Whilst not a matter brought by the ICO, this does emphasise the need to move away from consent as a basis for processing employee personal data and the need to set out what the lawful basis for processing is in a clear and accessible privacy notice.

If you require further information about anything covered in this blog, please contact David Hunt, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, September 2019

Want to know more?

Contact us

About the authors

David Hunt employment lawyer

David Hunt

Partner

David advises employer clients, with a particular focus on the financial services and sport sectors, on a wide range of contentious and non-contentious employment issues. He also acts for individuals in relation to contract and exit negotiations and advises them on matters relating to restrictive covenants. 

David advises employer clients, with a particular focus on the financial services and sport sectors, on a wide range of contentious and non-contentious employment issues. He also acts for individuals in relation to contract and exit negotiations and advises them on matters relating to restrictive covenants. 

Email David +44 (0)20 3375 7214
Back to top