Time limits under GDPR in regards to the 8 rights
It’s been just six weeks since the GDPR came into effect and the initial signs are that the public are aware of, and are exercising, their new rights. An article in The Guardian states that the Information Commissioner’s Office has reported an increase in both breach notifications and in data protection complaints within the first four weeks after the implementation.
The GDPR provides eight rights for individuals, building on previous rights enshrined in the UK's Data Protection Act 1998, consolidating and reinforcing rights of data subjects across other legislation, and introducing new rights. Each data subject is entitled to:
be informed,
request a copy of their data,
request their data be rectified,
request their data be erased,
request their data be restricted,
object to their data being used in certain circumstances,
request their data be provided in a format that allows them to reuse their data across different services,
request that certain restrictions on firms with regard to automated decision making and profiling be undertaken in their case.
With a fair amount of GDPR publicity in the media focusing on new higher fine amounts available to the authorities (maximum fines for failures in breach notifications, for example, are now €20m or 4% of a firm’s annual global turnover, whichever is higher), the increase in breach notifications is evidence that firms are taking the new rules seriously. Given the apparent public interest in the new rights – a rise in complaints shows individuals are prepared to both exercise their rights, and to complain to the authority if firms fail to deliver – this is no bad thing.
A key aspect to the rights and to complying with the new rules is the time limits firms have to process the request and provide the outcome to the data subject. In this article, we’ll be focusing on the time limits critical to the provision of three of the eight rights, the right of access, rectification and erasure.
Subject Access Requests now carry some different and additional elements to those provided under the Data Protection Act 1998; in most cases firms cannot charge a fee, firms need to ensure that requests receive both the copy of personal data and relevant supplementary information, and the timescale in which to comply has reduced to ‘one month’, under Article 12. The ICO has offered further clarity on this relatively ambiguous definition, and states ‘you should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month’.
However, it isn’t as simple, in practice, as thinking you have one calendar month to complete the request. If a request is received on 10 July, the time limit begins on the following day – the 11 July – meaning that a firm has until 11 August to respond. However, where a request is received on, for example, 30 March, the time limit begins from 31 March. But where there is no corresponding date in April, because the month is shorter, the time limit is considered to be the earlier date – 30 April, rather than 1 May. Where the response date (but not the receipt date) falls on a weekend or public holiday, you have until the next working day to respond. The ICO recommends the use of a 28 day period to ensure that compliance is always within a calendar month.
Similarly, requests to have inaccurate personal data rectified or completed if incomplete are subject to the same ‘calendar month’ rules as subject access requests. If the request is complex, firms may extend the time to respond by a further two calendar months. Firms which are adopting the 28 day approach may wish to use a calculation of a further 59 days for responses to complex cases (87 days in total); those that are not must ensure staff are aware and trained in how to calculate the deadline, or that automated calculations take into account the shorter month/weekend/public holiday adjustments.
The ICO state that where the case is complex, and further consideration of the accuracy of disputed data is requested, and where it is likely that the outcome is that you consider the data to be accurate, an extension would be acceptable. However, the ICO have provided the following circumstances as examples where an extension would not be considered reasonable:
Manifestly unfounded or excessive
An exemption applies
You are requesting proof of identity before considering the request
When firms wish to extend the time to respond, firms must let the data subject know as soon as possible, and within one month of receipt of the request, and explain why the extension is necessary.
Whilst investigations into the accuracy of the data are ongoing (whether as part of a normal 28 day case, or an extended time-limit case), the processing of data that is disputed should be restricted. Individuals have the right to ask for restricted processing as part of an accuracy contest, however, the ICO recommend that as a matter of good practice, all data subject to rectification requests should be restricted.
Requests for the erasure of data (also known as the right to be forgotten) are also subject to the one calendar month (or 28 day) limit. As with rectification requests, the limit can be extended by a further two months if the request is complex, but cannot be extended if the request is manifestly unfounded or excessive, an exemption applies, or proof of identity is sought.
In erasure cases, where personal data has been disclosed to others, an organisation must contact each recipient (usually other controllers who are also processing that information) and inform them of the erasure. Although no time period is specified – either in the GDPR itself or in the ICO’s guidance documentation – as a matter of good practice, firms should aim to complete this contact well within the time-limit, to allow any third parties to take necessary steps to erase links, copies and replications of this data within the same period of time in which the data subject should be able to reasonably expect it to have been deleted.
If you need more information on GDPR, please look through our Resource Downloads page where you can download a free Fair Processing Notice.
If you would like to receive our Compliance Insights emails to receive the latest compliance news and alerts, please sign up here.