A Data Subject Access Request (also known as a DSAR, SAR or GDPR request) allows an individual to request any or all data, pertaining to them, which a firm or business may hold. When a request is received, the party who has received the request is required to comply with it in one calendar month. If the request is complex the responding party is allowed up to an extra two months to respond.
If the request is not complied with the requestor is entitled to raise a complaint to the party it sent the request to. If the matter remains unresolved after a further calendar month the requesting party is entitled to report the matter to the Information Commissioners Office (often abbreviated to ICO).
We have recently become aware that some companies, including high profile banks, are advising individual consumers that they are not currently responding to DSAR’s, owing to the business focusing on other areas as a result of Covid 19. This advice is misleading and there is no current guidance provided by the ICO, which allows a company to opt out of its obligations to reply to a DSAR.
We were recently contacted by a client of our firm who had received correspondence from a company, refusing to comply with her DSAR. Our client was provided with the excuse that staff members were working from home due to Covid 19 and so did not have access to the information our client had requested. Upon our firm assisting in the matter, the company in question quickly conceded that it did in fact have to comply with the DSAR and that it would do so within 30 days from the date it originally received the request.
Another client had received a response to his DSAR, from a bank, asking for a sample signature to be provided on a separate document. We were concerned with that request and advised our client against signing a further, unrelated, document, especially considering our client had already signed the DSAR which the bank had received.
Please contact us if you require any further information or visit the ICO website at https://ico.org.uk/.