The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Answer: The GDPR requires that an organization provide a person that makes an access request with “information on action[s] taken” within one month of receiving the request.1 The one month time period can be extended two additional months depending upon the “complexity and number” of requests that a person makes. If a company seeks to rely upon the extension it must inform the requestor of that fact within the first month.
Although the GDPR states that an organization must provide “information on actions taken,” it does not specifically state that the request must be fully completed during that time period. As a result, a company might argue that it has complied with the timing requirements of the GDPR if within one month it acknowledges a request and provides an update concerning the progress of the organization’s response (e.g., “We are searching our records for relevant information and, once that information is identified, will determine whether we are required to provide those records to you”).