ICO updates guidance on DSAR response time limits

Data controllers will now have one month from the date of receipt of a DSAR to provide response.

The Information Commissioner’s Office (ICO) has updated its guidance on the timescales for responding to data subject access requests (DSAR) to reflect a 2004 ruling of the Court of Justice of the European Union (ECJ) in Maatschap Toeters and M.C. Verbeck v Productshcap Vee en Vlees (Case C-171/03) regarding how time periods in EU acts should be calculated.

Under Article 12 of the General Data Protection Regulation, data controllers must respond to a DSAR “without undue delay” and “in any event within one month of receipt of the request”.

The ICO previously stated that this one-month time limit runs from the day after a DSAR is received by a data controller. It has now (albeit belatedly) updated this guidance to bring it in line with the ECJ’s position in Maatschap Toeters by confirming that the one-month time limit runs from the day a DSAR is received (whether that is a working day or not) until the corresponding calendar date in the next month.

The rest of the ICO’s guidance on DSAR response timescales remains unchanged, including its suggestion that it may be practical for organisations adopt a 28-day period for response to DSARs to ensure that responses are always provided within one calendar month.

The ICO’s revised guidance is available here.

Businesses should review their DSAR response processes to ensure that they remain compliant with the ICO’s new guidance. If you have any questions about this, or DSARs more generally, Simmons & Simmons has a specialised data protection team who can assist. For more information please contact Robert Allen or Caroline Henzell.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.