As the COVID-19 pandemic gathered pace, the Irish Data Protection Commission (DPC) issued guidance on certain related implications under GDPR. In particular, the DPC indicated that data protection law does not stand in the way of the provision of healthcare and the management of public health issues.
Of particular interest to many organisations is the DPC’s guidance on the statutory timelines for responding to data subject requests (DSRs). The DPC has acknowledged that the unprecedented challenges faced by organisations during the COVID-19 pandemic may result in unavoidable, and understandable, delays when responding to data subject requests. However, in facing these challenges, organisations must ensure to internally document and proactively communicate to the data subject any resulting delays.
With the spread of COVID-19, organisations are facing increasingly complex challenges in the day-to-day operation of their businesses. In Ireland, government measures will remain in place until at least 19 April 2020, meaning schools and universities remain shut, private sector organisations may be closed or have reduced capacity with employees working from home, and the public sector is focused on supporting critical services and frontline staff. Across the board, resources, whether they are finances or personnel, are being diverted away from compliance and data governance activities.
Fixed statutory timelines
According to the DPC, the GDPR’s statutory timelines for responding to DSRs cannot be modified or extended under any circumstances. Under Article 12 GDPR, organisations must respond to the individual within one month of receiving the request. In certain cases, this timeline can be extended by a further two months, such as due to the complexity or number of requests. Nevertheless, the DPC has indicated that it will adopt a sensible and proportionate approach in enforcing these timelines on organisations experiencing challenges in these unprecedented times.
Dealing with timelines for DSRs
The DPC provides some helpful guidance to organisations experiencing difficulties responding to DSRs within the statutory timelines:
Engage with individuals in order to ensure that the request is as specific as possible such as in relation to the personal data sought
Consider invoking the extension of two months, where necessary, taking into account the complexity and number of requests
Communicate with the data subject about the handling of their request and where an extension of time for responding is needed, include the reasons for the delay in responding
Respond to the request in stages. For example, respond with the information that is available to staff working remotely and provide hard copies at a later stage
Where an organisation simply cannot respond to a request within the statutory timelines, either in part or in full, the request should be actioned as soon as possible
In line with the GDPR’s accountability principle, the DPC encourages organisations to document their reasons for not complying with the statutory timelines. In addition, the organisation should promptly communicate these reasons to the data subject. Lastly, while the GDPR does not permit a waiver of the statutory timelines, the DPC has stated that it will take into account the extenuating circumstances and the documented reasons for the delay, should a complaint be received regarding an organisation’s responsiveness.
The content of this article is provided for information purposes only and does not constitute legal or other advice.