February 19, 2020

February 19, 2020

Subscribe to Latest Legal News and Analysis

February 18, 2020

Subscribe to Latest Legal News and Analysis

February 17, 2020

Subscribe to Latest Legal News and Analysis

Subject Access Requests – What Does ‘One Month’ Mean?

The Information Commissioner's Office (ICO) has confirmed a small, but important, change to the time limits for responding to subject access requests (SARs) under the General Data Protection Regulation (GDPR). Calculation of the one-month time limit should begin from the date on which the request was received, not the day after. Therefore, if a request is received on 3rd September, the deadline for responding will be 3rd October (rather than 4th October, as previously understood). The ICO update on the subject, which follows a (2004) CJEU decision on time limits, is here and the guidance on subject access rights has been updated to reflect this.

As a further reminder, it does not matter if the SAR is received on a non-working day – that date will still be the date from which you calculate the time limit. However, if the corresponding date in the next month is a weekend, or bank holiday, then the deadline for responding is the next working day. In cases where the following month is shorter, and there is no corresponding calendar date, then the deadline becomes the last date of that following month. For example, a request received on 31st October will have a deadline of 30th November.

Organisations must still comply with a request without undue delay and within one month of receipt, although there is some scope to extend this if necessary, to: clarify the request; confirm identity of the requester; or seek to charge a fee (in limited cases). In all cases, SARs should be carefully handled and processed, with due consideration to the already short time-frame to respond. This clarification of the law effectively makes that period one day shorter.

We await further updated guidance from the ICO on SARs, following the GDPR and DPA 2018 and will provide this information as soon as we have it. In the meantime, we recommend checking and updating internal procedures for handling SARs and do get in touch with if you have any questions, or concerns.

© Copyright 2020 Squire Patton Boggs (US) LLP


About this Author

Andrea Ward Director London Squire Patton Boggs Data Privacy & Cybersecurity Practice GDPR UK Data Protection Act 2018.

Andrea Ward serves as a director in the Data Privacy & Cybersecurity Practice. She has a multitude of experience advising on data protection laws and compliance with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018.

Andrea assists clients on data breach and reporting requirements, including liaising with the ICO. She advises on and drafts privacy documentation, including notices, policies and contracts, and provides guidance on data subject rights, such as subject access requests. Andrea is also interested in social media, employee privacy,...