The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).
Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.
The ICO’s previous guidance on SARs noted that the one month time limit should be calculated from the day after the SAR is received until the corresponding calendar date in the next month. This meant that if the SAR was received on 19 August 2019, the response deadline would be 20 September 2019.
The ICO’s guidance has been amended to state that the time limit for a response starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 19 August 2019, the data controller should respond by 19 September 2019.
This (belated) change is to reflect a 2004 decision from the Court of Justice of the European Union (Case C-171/03 Maatschap Toeters and M.C. Verberk v Productschap Vee en Vlees). This judgment considered Article 3 of European Regulation 1182/71 on the rules applicable to time periods set out in acts of the Council of the European Union and the European Commission.
Aside from this one change, the ICO’s previous guidance on SARs remains the same – in circumstances where the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. Further, if the corresponding date falls on a weekend or a public holiday, the data controller will have until the next working day to respond. Therefore the exact number of days a data controller has to comply with a request will vary, depending on the month in which the request was made.
Following this amended guidance, data controllers should review and update their SAR policies and procedures to ensure continued compliance with their data protection obligations.