Why These DPAs Are Wrong About Limiting DSR Extensions

21 Jan 2021

Alja Poler De Zwart authored an article for the International Association of Privacy Professionals covering the guidance issued by the UK Information Commissioner’s Office and the Netherlands’ Autoriteit Persoonsgegevens that says companies dealing with an increase in data subject requests (DSRs) by concerned individuals in the aftermath of large security breaches cannot extend the one-month response period.

“Such a position imposes unreasonable burdens on organizations in the midst of a large security breach,” Alja wrote. “It is also contrary to the legislative history of the GDPR and the guidance of other European DPAs, such as France, Belgium, and Spain. Given the stakes for companies not complying with DSRs in a timely manner, it is high time the European Data Protection Board provides uniform guidance in line with the legislative history of the GDPR.”

She added that “when the number of total DSRs submitted to an organization significantly exceeds that which would normally be expected by an organization of its type and size, the organization should be able to extend the one-month deadline by another two months, as provided in Article 12(3) of the GDPR.”

Read the full article.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.