This applies to:
- A Supplier Access Request (SAR)
- Request for update or correction of data
- Request for processing restriction
- Request for deletion of data
- Request for moving/copying/transferring data
- Objections for processing of personal data
The GDPR requires that each of the above scenarios be responded to within a month – and the ICO recommends that the ‘month’ period is calculated as follows:
- Take the date of the day following the one on which the request is received
- So if the SAR arrived on the 23rd of the month, the applicable start date is deemed to be the 24th of that month
- Using that date, apply it to the next month as the deadline by which the SAR response must be sent.
- So if the applicable start date is the 24th of a month, the deadline is the 24th of the following month
- Thus, this disregards whether days are working days or not.
- Thus, if the SAR is received on 27th June, then the deadline is 27th July
- IF there is no such day in the following month, you should go to the first day of the month after that
- So if the SAR is received on 31st January, the deadline is 1st May (because there is no such day as the 31st of February)
- If the deadline date thus determined is a weekend or public holiday, then the following day becomes the deadline date.
- As this means there will be variations at different times of year, it is suggested that a 28 day period is chosen and utilised if the organisation wishes
- This has the benefit of a bit of leeway built in so that in the event of a day’s delay, this should not be a problem
Note that this is the approach adopted by the ICO and while other approaches may be appropriate, this would likely be the version deemed best practice unless you had good reasons (laid out in advance) to vary from this.