The Information Commissioner’s Office recently revised its guidance on
timescales for compliance with Data Subject Access Requests in situations
where more information is required from a data subject (e.g. to clarify a
request). The timeframe for response is no longer paused if you need to ask
the data subject for more information to understand the nature and scope of
their request. This document has been updated in line with this guidance.
This Letter Acknowledging Subject Access Request and Asking for More Information – GDPR Compliant should be used by employers to acknowledge receipt of an individual’s request under the General Data Protection Regulation (GDPR) for information held about them by a company and ask for more information about the request. As the GDPR applies to all personal data that an organisation processes, employers should accept subject access requests not just from employees, but also from workers, contractors, apprentices and volunteers.
This letter has optional clauses depending on whether the employer needs more information in order to fulfil the data subject access request or the employer needs the individual to provide proof of his or her identity.
Under GDPR, the time limit for an employer to respond to a subject access request is one month from the date of receipt. If a request is complex, the time period for response can be extended by a further two months. The employer must inform the individual of any such extension within one month of the request, together with the reasons for the delay.
The GDPR allows individuals to access information from organisations that process their personal data by means of a subject access request. The company must advise the employee on:
- whether or not the employee's personal data is being processed;
- the purposes of the processing and the categories of personal data concerned; the recipients to whom the data has been or will be disclosed;
- how long the data will be stored, or how that period is determined;
- the employee's rights in relation to the rectification or erasure of data, the restriction of processing and how to object to processing;
- the employee's right to lodge a complaint with the supervisory authority;
- any third-party sources of the data, where this information is available; and
- information about the logic involved in any automated decision-making, if applicable.
The company is also required to provide the employee with a copy of the personal data undergoing processing.
This document is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder, click on the “Download” button below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.