Part 5Data protection and privacy

Chapter 1Data protection

Data subject’s rights

76Time limits for responding to data subjects’ requests

(1)

The UK GDPR is amended in accordance with subsections (2) and (3).

(2)

In Article 12 (transparent information, communication and modalities for the exercise of rights of the data subject)—

(a)

in paragraph 3—

(i)

for “within one month of receipt of the request” substitute “before the end of the applicable time period (see Article 12A)”, and

(ii)

omit the second and third sentences,

(b)

in paragraph 4, for “without delay and at the latest within one month of receipt of the request” substitute “without undue delay, and in any event before the end of the applicable time period (see Article 12A),”, and

(c)

in paragraph 6—

(i)

after “may” insert “—

(a)”, and

(ii)

at the end insert “, and

(b)

delay dealing with the request until the identity is confirmed.”

(3)

After Article 12 insert—

“Article 12AMeaning of “applicable time period”

1.

In Article 12, “the applicable time period” means the period of one month beginning with the relevant time, subject to paragraph 3.

2.

The relevant time” means the latest of the following—

(a)

when the controller receives the request in question;

(b)

when the controller receives the information (if any) requested in connection with a request under Article 12(6);

(c)

when the fee (if any) charged in connection with the request under Article 12(5) is paid.

3.

The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—

(a)

the complexity of requests made by the data subject, or

(b)

the number of such requests.

4.

A notice under paragraph 3 must—

(a)

be given before the end of the period of one month beginning with the relevant time, and

(b)

state the reasons for the delay.

5.

Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under Article 15 relates—

(a)

the controller may ask the data subject to provide the further information, and

(b)

the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—

(i)

the applicable time period, or

(ii)

the period described in paragraph 4(a).

6.

An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.”

(4)

The 2018 Act is amended in accordance with subsections (5) to (7).

(5)

In section 45(5) (right of access by the data subject), after “delay” insert “and in any event before the end of the applicable time period (as to which see section 54)”.

(6)

In section 54 (meaning of “applicable time period” for responding to data subjects’ requests)—

(a)

in subsection (1), after “45(3)(b)” insert “and (5)”,

(b)

in subsection (2)—

(i)

for “1 month, or such longer period as may be specified in regulations,” substitute “one month”, and

(ii)

at the end insert “, subject to subsection (3A),

(c)

after subsection (3) insert—

“(3A)

The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—

(a)

the complexity of requests made by the data subject, or

(b)

the number of such requests.

(3B)

A notice under subsection (3A) must—

(a)

be given before the end of the period of one month beginning with the relevant time, and

(b)

state the reasons for the delay.

(3C)

Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under section 45(1) relates—

(a)

the controller may ask the data subject to provide the further information, and

(b)

the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—

(i)

the applicable time period, or

(ii)

the period described in subsection (3B)(a).

(3D)

An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.”, and

(d)

omit subsections (4) to (6).

(7)

In section 94 (right of access under Part 4)—

(a)

in subsection (14), for the definition of “the applicable time period” substitute—

““the applicable time period” means the period of one month beginning with the relevant time, subject to subsection (14A);”, and

(b)

after subsection (14) insert—

“(14A)

The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—

(a)

the complexity of requests made by the data subject, or

(b)

the number of such requests.

(14B)

A notice under subsection (14A) must—

(a)

be given before the end of the period of one month beginning with the relevant time, and

(b)

state the reasons for the delay.”