Changes to Time Limit for Response

February 2020

The GDPR bestows a number of rights upon individuals (“data subjects”) with respect to their personal data. Among these is theright of access, exercised by means of a data subject access request (or simply “subject access request”). This right gives individuals the right to obtain a copy of their personal data from you, as well as certain other important information such as details of the purposes for which you are using the data and how long you will keep it.

Subject to certain limited exceptions, you must respond to a subject access request within one month of receipt . In some cases, you may need to request additional information to confirm the identity of the individual making the request. Furthermore, if the request is “manifestly unfounded or excessive” or if additional copies of data are required following a request, you may be able to charge a fee to cover your administrative costs (although charging a fee is no longer the norm as it was under the Data Protection Act 1998).

In either of the cases above, the one-month timeframe does not begin until you have received the information and/or the fee from the individual making the request.

If you are processing large amounts of information about someone, you may need to ask them for additional information to clarify the request. Previously, this also effectively paused the one-month time limit for a response. The Information Commissioner’s Office recently updated its guidance on response times and requesting information to clarify a request no longer affects the time limit . If a request is particularly complex or if the individual has made multiple requests, you may be able to extend the time limit by up to two months, but the basic one month window is no longer affected by the need to clarify alone. Consequently, if you need to ask an individual for information to clarify their request but do not need to confirm their identity or ask for a fee, your one-month window begins on the day the request is received, not on the day you receive the information.

Updated Subject Access Request Documents

In response to the ICO’s updated guidance, we have reviewed our selection of data protection documents and updated several of them to reflect the new limitation on response times.

We have also begun to introduce modified references to the UK’s data protection legislation (currently including the EU GDPR) with wording that is more appropriate for Brexit. The EU GDPR continues to apply in the UK during the transitional period and will be replaced with a “UK GDPR” (in many areas virtually identical to the EU version) thereafter. In the interim, references in our documents will receive additional wording covering “successor legislation” – wording which will be updated again once the UK’s post-Brexit data protection framework has been finalised and implemented.

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top