Under the General Data Protection Regulation (GDPR), individuals can request access to the personal data that employers or other organisations hold on them. This is commonly known as a DSAR and is subject to certain conditions.
You are required to respond to DSARs within one month – but when does this start?
According to Information Commissioner’s Office (ICO) guidance, the response to a DSAR should be provided “without undue delay” and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any requested information to clarify the request;
- any information requested to confirm the requester’s identity; or
- a fee (in certain circumstances).
It is possible to extend the time to respond by an extra two months if the request is complex or if the individual has made a number of requests.
The previous guidance from the ICO went on to explain that DSARs “must be responded to within one calendar month, with the day after receipt counting as ‘day one’.” However, the method for calculating when that month begins and ends has recently been updated by the ICO as a result of the CJEU decision in Maatschap Toeters and M.C. Verberk v. Productschap Vee en Vlees (Case C-171/03).
The time limit should now be calculated from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. The ICO explains that if it is not possible to meet the deadline because the following month is shorter (and there is no corresponding calendar date), the response must be provided by the last day of the following month. For example, if a DSAR is received on 31 March, you have until 30 April to comply with it as there is no equivalent date in April. However if the corresponding date falls on a weekend or a public holiday, the deadline for the response will be the next working day after the holiday or weekend.
Given the potential issues arising from the new rules if the deadline falls on the non-working day or because of the shorter month, the ICO recommends that it may be helpful for practical reasons that organisations adopt a 28-day period to ensure compliance within a calendar month.
Should you have any questions about DSAR compliance, please contact the Dentons Employment team.