How should employers calculate the timescale for responding to a data subject access request?
An employee has the right to make a data subject access request (DSAR) to obtain information from their employer about the personal data that is being processed about them. In addition to a copy of their personal data, the employer must also provide the employee with the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient the personal data is disclosed to;
- the retention period for storing the personal data or, where this is not possible, the criteria for determining how long it will be stored;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards provided if personal data is transferred to a third country or international organisation.
Responding to a DSAR can be time consuming. This will involve not only searching for the employee’s personal data but also considering whether any of the data relates to other individuals and so should be redacted. There are also certain exemptions from the obligation to comply with the DSAR which may need to be considered.
However, there are strict time limits that the employer must comply with. DSARs must be handled without undue delay and, in any case, within one month of receipt of the request. The employer may in certain circumstances extend that by two months, although this will only be where requests are particularly complex or numerous. In such a case, the employer must tell the employee within one month of the request and provide reasons.
It is important for employers to know how to calculate the deadline for responding to the DSAR. The Information Commissioner’s Office (ICO) has recently updated its guidance on this point. The guidance clarifies that the day of receipt of the DSAR is “day one”, as opposed to the day after receipt. Therefore, in the given example, a DSAR received on 3 September should be responded to by 3 October.
An employee who believes that the employer has failed to comply with the requirements of GDPR has two main routes to challenge the response to the DSAR:
- a complaint to the Information Commissioner, which may lead to investigation by the Commissioner;
- an application to court for a compliance order.
Employers should review their data protection policies and procedures on handling DSAR’s to ensure that they reflect the ICO’s guidance on the timescale for the response.
11 September 2019
If you would like to receive monthly employment law updates and news of our events, sign up for our email alerts.
©2020 SCRASE LAW LTD. THIS POST IS FOR GENERAL INFORMATION ONLY AND IS NOT ADVICE. YOU ARE RECOMMENDED TO SEEK COMPETENT PROFESSIONAL ADVICE BEFORE TAKING ANY ACTION ON THE BASIS OF THIS POST