Company Issued With Enforcement Notice For Failing To Respond To DSARS

The ICO has issued Smith, Law, and Shepherds IFA Ltd (Company) with an enforcement notice for failing to respond to two data subject access requests (DSARs) in contravention of Article 15 of the UK GDPR.

Background

Data Subject 1 submitted a DSAR to the Company on 14 April 2020. Data Subject 1 then sent further emails to the Company on 7 July 2020 and 28 September 2020 chasing a response and reminding the Company of its obligations under data protection law.

Data Subject 1 did not receive a response and therefore complained to the ICO on 24 November 2020. As a result, on 15 April 2021, the ICO wrote to the Company reminding it of its obligations and requiring it to take the appropriate steps to respond to the DSAR.

On 9 June 2021, Data Subject 1 had still not received a response from the Company and therefore once again contacted the ICO. On 24 June 2021, the ICO sent an email to the CEO of the Company asking him to ensure that Data Subject 1 received his information within 7 days. This did not happen.

The ICO continued to contact the Company for a number of months after and as of 9 December 2021 (over 18 months after the request was made), the Company had still not responded to Data Subject 1’s DSAR.

Data Subject 2 submitted a DSAR to the Company on 17 April 2020. Data Subject 2 sent further emails to the Company on 3 July 2020 chasing a response. On 30 November 2020, Data Subject 2 complained to the ICO and a case officer at the ICO wrote to the Company on 29 June 2021.

The ICO continued to contact the Company and as of 9 December 2021, the Company had still not responded to Data Subject 1’s DSAR.

Breach

The ICO conducted an investigation and found that the Company had contravened Article 15 of the UK GDPR by failing to inform Data Subject 1 and Data Subject 2 without undue delay whether their personal data was being processed and where that was the case, they had failed to provide access to such personal data.

Article 15 of the UK GDPR provides as follows:

Enforcement notice

Having regard to the level of the contravention and in particular the length of time since the DSARs were received, the ICO considered it proportionate to issue the Company with an Enforcement Notice.

In accordance with the Enforcement Notice, the Company was required to by no later than 16 March 2022 inform Data Subject 1 and 2 whether they are processing their personal data and if so provide them with a copy of such data.

Comment

This is a helpful reminder to deal promptly with any DSARs. If you are unsure of how to respond to a DSAR and what information should/should not be included, it is important to seek legal advice urgently.