On the face of it, it seems quite simple: you get one month to deal with a subject access request (SAR or DSAR); Article 12 of the GDPR states the information should be provided “without undue delay and in any event within one month of receipt of the request“, but exactly when does the month time limit start and is that 30 days, 31, the same day of the next month?
This week the ICO published a minor update to their guidance about timescales for dealing with SAR, but actually this update post is a little misleading as the timescales are set for other rights for as well, not just the access right, it also applies to the right to erasure, right to portability, etc. Oddly the update comes from a Court of Justice of the European Union ruling from November 2004, which doesn’t specifically relate to data protection, but does set out the court’s interpretation of when time limits start. The outcome is the ICO now say the month deadline starts on the day the request is received (not from the next day), so that SAR that arrives on the 3rd September now needs to be dealt with by 3rd October.
However, when it comes to time limits for SAR and some of the other individuals’ rights it’s not actually that straightforward and sometimes they will have to be dealt with in less than a month. The point is it’s not a question of how you interpret how many days in a month (is it 30, 31, or maybe 28 if you’re talking about February), but more about a general “month” limit. In the ICO guidance the ICO states that if the same day of the month is not available in the next month (e.g. a request on the 31st March when there’s no 31st April) then you have to complete the request by the end of the following month, so a SAR submitted on the 31st March would need to be completed by 30th April, and a SAR submitted on the 31st January would have to be dealt with by 28th February (or 29th in a leap year), so not quite what you may have imagined and not a matter of the average days in a month. And the ICO states in its guidance “For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.”
So, there you have it – time limits aren’t always as obvious as they apparently seem and you may not have a full 30 or 31 days to respond to a SAR, but at least we now know the SAR clock starts ticking from the day you receive the request…
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR
