Subject Access Requests – What Does ‘One Month’ Mean?
The Information Commissioner's Office (ICO) has confirmed a small, but important, change to the time limits for responding to subject access requests (SARs) under the General Data Protection Regulation (GDPR). Calculation of the one-month time limit should begin from the date on which the request was received, not the day after. Therefore, if a request is received on 3rd September, the deadline for responding will be 3rd October (rather than 4th October, as previously understood). The ICO update on the subject, which follows a (2004) CJEU decision on time limits, is here and the guidance on subject access rights has been updated to reflect this.
As a further reminder, it does not matter if the SAR is received on a non-working day – that date will still be the date from which you calculate the time limit. However, if the corresponding date in the next month is a weekend, or bank holiday, then the deadline for responding is the next working day. In cases where the following month is shorter, and there is no corresponding calendar date, then the deadline becomes the last date of that following month. For example, a request received on 31st October will have a deadline of 30th November.
Organisations must still comply with a request without undue delay and within one month of receipt, although there is some scope to extend this if necessary, to: clarify the request; confirm identity of the requester; or seek to charge a fee (in limited cases). In all cases, SARs should be carefully handled and processed, with due consideration to the already short time-frame to respond. This clarification of the law effectively makes that period one day shorter.
We await further updated guidance from the ICO on SARs, following the GDPR and DPA 2018 and will provide this information as soon as we have it. In the meantime, we recommend checking and updating internal procedures for handling SARs and do get in touch with if you have any questions, or concerns.