The ICO has updated its guidance around how long an organisation has to respond to a subject access request (SAR) following a Court of Justice of the European Union (CJEU) ruling.
The guidance previously stated that SARs must be responded to within one calendar month, with the day after receipt counting as ‘day one’.
This has now changed.
‘Day one’ is now the day of receipt – for example, a SAR received on 3 September should now be responded to by 3 October. You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
The ICO has also updated its guidance on the meaning of ‘manifestly unfounded’ and ‘excessive’. You will know already that a data controller can also refuse to comply with a subject access request if it is:
In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy. You must also be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.
A request may be manifestly unfounded if:
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made, and you are responsible for demonstrating that it is manifestly unfounded.
Also, you should not presume that a request is manifestly unfounded because the individual has previously submitted requests which have been manifestly unfounded or excessive or if it includes aggressive or abusive language.
The inclusion of the word “manifestly” means there must be an obvious or clear quality to it being unfounded. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.
A request may be excessive if:
However, it depends on the particular circumstances. It will not necessarily be excessive just because the individual:
When deciding whether a reasonable interval has elapsed you should consider:
You must inform the individual without undue delay and within one month of receipt of the request.
You should inform the individual about:
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
If you have any questions relating to how to respond or deal with a subject access request – please contact the GDPR team at Paris Smith.
If you found this blog useful why not visit the Knowledge Section of our website to see more blogs on this and similar subjects.