Data subject request: one-month period pauses while identity is verified

The General Data Protection Regulation contains a large number of deadlines that a controller must meet.
This also applies to the deadline for responding to data subject requests, which generally requires “immediate” action according to Article 12 (3) sentence 2 of the GDPR. The controller no longer acts immediately if the one-month period specified in Article 12 (3) sentence 1 GDPR is exceeded. In certain cases, this deadline can be extended to a total of three months. We recommend consulting with your expert from our data protection team in these cases.
How to calculated the one-month period?
The EU Regulation No. 1182/71 provides the rules about dates and time limits (Time Limits Regulation). Art. 3 para. 1 2nd subparagraph Deadlines Regulation specifically states: “For the beginning of a deadline to be measured in months, the point in time at which the event occurs is decisive. Thus, when calculating this period, the day the event occurs is not included. As to Art. 3(2)(c) of the Regulation on time limits, the time limit ends with the expiry of the last hour of the day which bears the same designation as the day on which the time limit begins.
First official statement of consideration of interruption
For the first time, the Berlin data protection authority talks about the fact that in a certain case, the one-month time limit was met although the time limit was exceeded. This is the case when the data subject does not respond to an authentication request. During an authentication request the time limit is “paused”.
This was recently documented as part of a cooperation procedure under article 60 GDPR with the Swedish data protection authority as lead supervisory authority. A complaint alleging a violation of article 15 GDPR was rejected.
What is this all about?
In the case, the controller has exceeded the one-month period altogether. However, there was sufficient doubt about the identity of the data subject, which is why a telephone number (for the purpose of sending a verification code) was requested from him, among other things. The data subject only complied with this request after some time and further reminders.
The Swedish DPA pointed out that article 12(3) GDPR had to be complied with in principle, but the DPA also considered that the controller had reasonable grounds to doubt the identity of the data subject. Therefore adequate information was requested without unreasonable delay. This information was provided by the data subject only after a delay, the DPA considered that the request was thus processed by the controller within the one-month period without unreasonable delay.
If you do not yet have a process for handling data subject requests, please contact our experts in the data protection team or use the new template available in our ePrivacyaudit (Roll out in December).