Data Subject Access Requests (DSARs)
Do the timelines for responding to GDPR data subject requests still apply where an organisation is temporarily closed or capacity to handle requests is curtailed because of COVID-19?
1st April 2020
The Data Protection Commission has acknowledged the significant impact of the Covid-19 health crisis. It may affect organisations’ ability to action GDPR requests from individuals, such as access requests. While the timelines for responding to requests from individuals are set down in law in the GDPR and can’t be changed. They recognise that unavoidable delays may arise as a direct result of the impacts of COVID-19.
The Data Protection Commissioners office appreciate that many organisations, especially frontlines and critical services organisations such as healthcare and social services may need to divert resources to priority work areas with consequential impacts on other areas such as the handling of access requests. They are alive to the unprecedented challenges facing organisations and the need for a proportionate regulatory approach in response to these extraordinary circumstances.
Any organisation experiencing difficulties in responding to requests should, where possible, communicate with the individuals concerned about the handling of their appeal. It includes any extension to the period for responding and the reasons for the delay in responding.
The GDPR provides for an extension of two months to respond to a request. Where necessary taking into account the complexity and number of requests.
Organisations experiencing difficulties in actioning requests should also consider whether it is possible to respond to requests in stages. For example, an organisation whose staff are working remotely may have difficulties in accessing hard copy records. In this case, it may be possible to provide the requester with electronic records, with hard copies provided at a later stage. Again, organisations should communicate clearly with the individuals concerned. Organisations may also want to engage with individuals to ensure that the request is as specific as possible concerning the personal data sought.
Equally important, where an organisation cannot respond to a request in full or in part on the statutory timelines, because of the impact of COVID-19, they still must do it. Also, they should ensure that the request is actioned as soon as possible. For accountability and transparency purposes, the reasons for not complying with the timelines must be documented by the organisation and communicated to the affected individuals.
While the statutory obligations cannot be waived, should a complaint be made to the DPC. The facts of each case including any organisation specific extenuating circumstances will be fully taken into account.
Protect your costumers, employees and partners data. We can help your business to be compliant with the GDPR regulations. Sign up for our 30 days free trial today!