Under the General Data Protection Regulation (GDPR), individuals can request access to the personal data that employers or other organisations hold on them. This is commonly known as a DSAR and is subject to certain conditions.
You are required to respond to DSARs within one month – but when does this start?
According to Information Commissioner's Office (ICO) guidance, the response to a DSAR should be provided "without undue delay" and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any requested information to clarify the request;
- any information requested to confirm the requester's identity; or
- a fee (in certain circumstances).
It is possible to extend the time to respond by an extra two months if the request is complex or if the individual has made a number of requests.
The previous guidance from the ICO went on to explain that DSARs "must be responded to within one calendar month, with the day after receipt counting as 'day one'." However, the method for calculating when that month begins and ends has recently been updated by the ICO as a result of the CJEU decision in Maatschap Toeters and M.C. Verberk v. Productschap Vee en Vlees (Case C-171/03).
The time limit should now be calculated from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. The ICO explains that if it is not possible to meet the deadline because the following month is shorter (and there is no corresponding calendar date), the response must be provided by the last day of the following month. For example, if a DSAR is received on 31 March, you have until 30 April to comply with it as there is no equivalent date in April. However if the corresponding date falls on a weekend or a public holiday, the deadline for the response will be the next working day after the holiday or weekend.
Given the potential issues arising from the new rules if the deadline falls on the non-working day or because of the shorter month, the ICO recommends that it may be helpful for practical reasons that organisations adopt a 28-day period to ensure compliance within a calendar month.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.