Q&A – the GDPR and data subject access requests

Q. If an individual, such as an employee or a client, makes a data subject access request (DSAR) for their personal data using their General Data Protection Regulation (GDPR) rights, how long do we have to comply?

A. The personal data must be provided to them “without delay” and within one month of receipt of the DSAR at the latest. However, where a DSAR is complex or numerous you can extend the response period by a further two months. In this situation, you must inform the individual within one month of receipt of their DSAR and explain why the extension is necessary (see The next step ). The GDPR also states that you must provide a copy of the personal data requested free of charge – the right to charge £10 has been abolished. That said, the GDPR permits you to charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it’s repetitive. Where a fee is levied, it must be based on the actual administrative cost of providing the personal data.

Reproduced with the permission of Indicator – FL Memo Limited. For subscription information call 01233 653500;