A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 4 September 2019
Revised time limit guidance
Until publishing this revised guidance, the ICO’s position had been that the month’s timescale go comply with a DSAR begins on the day after the DSAR is received. However, the revised guidance makes it clear that this is no longer the case; data controllers are now expected to calculate the time limit from the day that the DSAR is received (regardless of whether this is a working day). For example, the deadline for a DSAR received on 2 September 2019 would be 2 October 2019 (provided a decision is not made to extend the time limit by a further two months).
The other rules for calculating DSAR compliance deadlines remain the same. As a recap, these are:
Clarity on ‘manifestly unfounded or excessive’ DSARs
The revised ICO guidance has helpfully provided some clarity as to what constitutes a ‘manifestly unfounded or excessive’ DSAR (which data controllers are entitled to refuse to comply with).
The guidance explains that a DSAR may be manifestly unfounded if:
The guidance makes it clear, however, that this should not be treated as a simple tick list exercise that automatically means a request is manifestly unfounded. Likewise, data controllers should not presume that a request is manifestly unfounded just because the individual has previously submitted requests which have been manifestly unfounded or excessive, or because the request includes aggressive or abusive language.
Data controllers are expected instead to consider a request in the context in which it is made, and are responsible for demonstrating that it is manifestly unfounded. There must be an obvious or clear quality to it being unfounded and data controllers are expected to consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.
The following example is provided in the guidance:
A request may be excessive if:
It depends on the particular circumstances whether a request is excessive. A DSAR will not necessarily be excessive just because the individual:
When deciding whether a reasonable interval has elapsed the following should be considered:
We recommend employers amend their internal DSAR processes and update any employees who handle DSARs to avoid getting caught out by the new calculation of the time limit rule. For any DSARs already in the pipeline, we recommend that data controllers aim to comply with the shortened deadline if possible. However, as this amendment was made by the ICO without much fanfare, data controllers may be able to argue in the short term that they were not aware of the change. The guidance on manifestly unfounded or excessive is welcome, as it has been some time coming.
See the new guidance here.
Ceri Fuller, Zoë Wigan, Hilary Larter
Sinead Egan, Barry Reynolds
Neil Bhan, Joanna Taylor