Alja Poler De Zwart authored an article for the International Association of Privacy Professionals covering the guidance issued by the UK Information Commissioner's Office and the Netherlands' Autoriteit Persoonsgegevens that says companies dealing with an increase in data subject requests (DSRs) by concerned individuals in the aftermath of large security breaches cannot extend the one-month response period.

"Such a position imposes unreasonable burdens on organizations in the midst of a large security breach," Alja wrote. "It is also contrary to the legislative history of the GDPR and the guidance of other European DPAs, such as France, Belgium, and Spain. Given the stakes for companies not complying with DSRs in a timely manner, it is high time the European Data Protection Board provides uniform guidance in line with the legislative history of the GDPR."

She added that "when the number of total DSRs submitted to an organization significantly exceeds that which would normally be expected by an organization of its type and size, the organization should be able to extend the one-month deadline by another two months, as provided in Article 12(3) of the GDPR."

Read the full article.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved