DSARs: Do you know how to calculate your legal response-time under the GDPR?

Have you found yourself a couple of hours or a day too late when responding to an individual’s rights request? Maybe you are not even sure when the GDPR’s “one month upon receipt of the request� deadline expires. So following a better-to-be-safe-than-sorry philosophy, did you send out a rushed and unprepared response a day or two early? Or even decide to extend the deadline by another two months, just in case?

More than a year of GDPR practice shows that every day counts in these kinds of situations. 

Why is this so important?

If it does not comply with this requirement, your company technically risks the highest possible GDPR fine: 20 million euro or 4% of your company’s worldwide turnover. It is likely that the regulators will only impose a significant fine in a situation where a company is consistently missing the one-month response deadline and blatantly disregarding the GDPR in other ways. You should not, however, set up your response process hoping to take advantage of that approach.

GDPR enforcement in the EU is very much complaint-driven. So even if the highest fine for missing a deadline is unlikely, the regulatory investigations triggered by complaining individuals are a drain on a company’s resources and should be avoided at all costs. Your company might therefore want to ensure that it sticks to the legal deadline and keeps the individuals who are making requests as happy as possible so that complaints are not made to the data protection authorities.

Many times individuals complain to the company in question first, before going to a regulator. Note that individuals appear to be more informed about their privacy rights than they used to be, mostly due to the significant publicity that the GDPR has been receiving in the EU for quite some time. So you will not be surprised that, one year down the line since the GDPR’s entry into force, we note many instances of individuals accusing companies that they have missed the one-month deadline (sometimes only by a day or two) and threatening to tell their regulators. The response to such a complaint should therefore always be geared towards calming the individual and explaining the situation and legal requirements in language as clear as possible.

So when does the one-month time period start to run and when does it end?

The answer can be found in the Regulation No. 1182/71, which determines the rules applicable to time periods, dates, and time limits. The Regulation provides the following rules for time periods expressed in months:

  • While the time period actually starts when a request is made, you actually start with the next day when calculating the time period.
  • The time period to respond to an individual rights request ends at midnight of the day a month later.
  • If the day on which the time period ends does not exist in the month, the time period will end at midnight of the last day of that month.
  • The time period includes public holidays, Sundays and Saturdays.
  • If the last day of the time period falls on a public holiday, Sunday, or Saturday, the time period will end at midnight of the following working day.

Are you confused yet? Hopefully these examples will make your life a bit easier:

Example 1: You receive an access request on June 30th. A one-month time period should be calculated from the next day, July 1, and will run until the corresponding calendar date in the next month. In this example, the time period ends on August 1 at midnight.

Example 2: If a time period of one month is calculated from August 31, then this period cannot end on September 31 because September has only 30 days. The time period will therefore end on September 30 at midnight.

Example 3: If the end date of the time period falls on January 1, which is usually a public holiday throughout the EU, the time period will end on the next working day, which in many EU Member States usually is January 2. If the end date falls on a Saturday or Sunday, the time period will end on Monday, January 2 at midnight, so you get an extra day or two, unless the Monday is a public holiday, in which case the time period ends on Tuesday at midnight.

Are these rules the same across the EU?

Despite the fact that the Regulation attempted to harmonize the calculation of legal time periods across the EU, deviations in application still exist. Some regulators (such as the UK’s Information Commissioner’s Office) have issued specific guidelines on how to handle individuals’ rights requests and, specifically, how to calculate the one-month time period. But, as noted above, those guidelines might not always be consistent with the interpretations of other member states’ data protection authorities. 

The ICO guidance, for example, follows a European Court of Justice ruling from 2004 in a very specific case that was unrelated to privacy and data protection, and which determined that the date on which an event occurs (such as the receipt of a request) is factored into the calculation. So if your company receives a request on Jan. 1, the time period for a response in the U.K. begins on Jan. 1 and ends on the date that has the same number as the date of the request. So, in the above case, this would be Feb. 1, which deviates from the Regulation.

When dealing with individuals’ rights requests, you should therefore always check which member state law applies to each specific request and whether the competent regulators have said anything specific about it. And while you’re at it, checking the applicable member state’s public holidays could give you another day or two of extra breathing room to respond, depending on the situation at hand.

Does the one-month time period continue to run while confirming identity?

Another interesting question is what to do if you have reasonable doubt about the identity of the individual who is making a request. Confirming identity can be a time-consuming exercise that eats away at the one-month time period that your company has to respond. The ICO, for example, considered this situation and determined that the one-month time period actually starts when a company has received the information necessary to confirm identity. But you should let the individual know as soon as possible that you need more information, so do not wait till the last moment in the month to start the verification process. Some other EU DPAs are not that explicit, but this approach sounds reasonable for pan-EU purposes.

Does the one-month time period continue to run while you seek clarifications from an individual?

The ICO also has opined that the clock stops running when companies process large amounts of information about individuals and need to ask specific individuals for more information to clarify their requests. The time period for responding to a request begins when you receive the additional information, but only if you let the individual know as soon as possible that you need more information from him or her before responding to his or her request. The problem is that if an individual refuses to provide additional information, you still have to comply with the individual’s request. Again, this approach may be reasonable for pan-EU purposes.

So, what to do?

Have a well-working system in place to track the requests that you receive, especially if you are handling many at the same time that overlap in terms of time periods within which you need to respond. Make sure that the system incorporates considerations on how to calculate the time periods, and train your employees who handle the requests so that they know how to apply these considerations in practice. And, last but not least, if an individual gets impatient and complains, explain to him or her in simple and firm yet kind language what the rules are. A little kindness usually goes a long way.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips