Responding to Data Subject Access Requests During the COVID-19 Crisis

PUBLISHED: 8th April 2020

The time periods mandated by the GDPR continue to apply despite the significant strain COVID-19 has placed on organisations’ capacity to handle them.  However, the DPC will be adopting a proportionate regulatory response.

The Data Protection Commission (DPC) has confirmed that statutory time limits will continue to apply to data subject access requests during the COVID-19 crisis.  The GDPR provides for a one-month time period to respond to access requests, which may be extended by a further two months where necessary, taking into account the complexity and number of the requests.

Nevertheless, the DPC recognises that organisations’ ability to respond to such requests may be significantly impaired as many close temporarily, implement new remote working arrangements, and direct resources to priority work areas.  Given the current extraordinary circumstances, the DPC has acknowledged the need for “a proportionate regulatory response.”

The DPC has urged individuals to bear in mind the possibility of unavoidable delays, especially when access requests are made to frontline and critical service providers. Any requests made should be as specific as possible to limit the strain placed on organisations’ already limited resources.

If COVID-19 has had an impact on your ability to respond to an access request within the necessary time period, consider the following:

1. Communicate

Make sure you communicate clearly with the data subject in relation to their access request.  If delays are unavoidable, communicate with them and explain the reasons for the delay. 

2. Respond in Stages

Consider whether it is possible to respond to the access request in stages.  This may be particularly relevant where remote working arrangements mean that you only have immediate access to electronic records.  Physical records may then be searched and provided at a later date.  Be sure to communicate clearly with the data subject that you will be responding in stages.

3. Keep a Record

You must ensure that any access request is actioned as soon as possible.  If you can provide the data subject with a response within the statutory time period, you should do so.  Where delays are unavoidable make sure you keep a record of the reasons for the delay, along with all correspondence with the data subject.

While the time periods mandated by the GDPR cannot be relaxed, the DPC will assess any complaints made based on all the relevant facts, including extenuating circumstances caused by COVID-19.

For further information please contact Aideen Burke at aburke@lkshields.ie.

To view our cross-disciplinary coverage of business continuity during the COVID-19 outbreak, please visit our dedicated special insights page and sign up to our mailing list by clicking here.