Documents for Business
- » Workplace and Environment
- » Employment law
- » Appraisals, promotion and training
- » Changing terms & conditions and TUPE
- » Contractual clauses
- » Data protection
- » Disciplinary, capability and dismissal
- » Flexible working
- » Grievances
- » Pay and pensions
- » Personnel management
- » Policies
- » Probation
- » Recruitment
- » Redundancy
- » Sickness absence
- » Termination
- » Time off and holidays
- » Trade unions
- » Work and parents
- Environment
- Fire safety
- HR
- Health and safety
- Risk assessment
- Safe systems of work
- Safety briefings
- Staff handbooks
- » Employment law
- Tax and Business
Documents for Business
In excess of 1,000 customisable documents covering every conceivable business issue.Introduction to this document
GDPR time extension for subject access response
You can extend the one-month period for compliance with a UK GDPR data subject access request by a further two months where requests are complex or numerous.
Two-month extension
Under the UK GDPR, the time limit for responding to a data subject access request (DSAR) is one month from the date of receipt of the request, although the legislation also states that you should respond “without undue delay”. The one-month time limit is calculated from the day you receive the request, whether it is a working day or not, until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the following month. If the corresponding date falls on a weekend or public holiday, you have until the next working day to respond. However, you can extend this time limit by a further two months where necessary, taking into account the complexity and number of the requests. The latter circumstance encompasses where you’ve received numerous requests from the same person; it doesn’t apply where you happen to currently be dealing with lots of DSARs submitted by different people. As for complexity, this is fact and context dependent and the more the individual has narrowed down their request, the harder it will be for you to show complexity.
Requirements
If you want to extend the time period, you must contact the individual within one month of the DSAR’s receipt to inform them of the extension and to explain why it’s necessary. This means you’ll need to set out in some detail the reasons for the delay in responding. Our GDPR Time Extension for Subject Access Response sets out a number of common reasons for extending the time to respond to a DSAR, either because it’s complex or because the individual has submitted numerous recent DSARs. These reasons are not intended to be exhaustive and you will therefore need to delete, amend or add to them so that they’re relevant to your own business reasons for the delay.
Breach
If you do fail to comply with your obligations under the UK GDPR, including failing to comply with data subject access rights, the individual can complain to the Information Commissioner’s Office and you can be subjected to potential fines of up to £17.5 million or 4% of the worldwide annual turnover of the business, whichever is higher. The individual can also seek a court order for compliance with their DSAR and claim compensation for damage suffered as a result of the breach.
