The UK Information Commissioner’s Office (ICO) has amended its guidance on the time limit for responding to a subject access request (SAR).
Under Article 12 GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject.
The ICO’s previous guidance noted that the one month time limit should be calculated from the day after the SAR is received until the corresponding calendar date in the next month. This meant that if the SAR was received on 19 August 2019, the response deadline would be 20 September 2019.
The ICO’s guidance now states that the time limit for a response starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 19 August 2019, the data controller should respond by 19 September 2019.
This (belated) change is to reflect a 2004 decision from the Court of Justice of the European Union (Case C-171/03 Maatschap Toeters and M.C. Verberk v Productschap Vee en Vlees). This judgment considered Article 3 of European Regulation 1182/71 on the rules applicable to time periods set out in acts of the Council of the European Union and the European Commission.
Following this amended guidance, data controllers should review and update their SAR policies and procedures to ensure continued compliance with their data protection obligations.