The United Kingdom’s Data Protection Authority issued an Enforcement Order linked to time delay – January 2022
Early 2019 saw the the Information Commissioner’s Office begin to probe the Ministry of Justice, in this case the data controller. Having paused the inquiry during lockdowns tit is now concluded that the governmental department did break DP laws with regards to a backlog of ‘Subject Access Requests’ (SARs).
According to Art. 12(3) GDPR, a data controller must respond to a SAR “without undue delay and in any event within one month of receipt of the request.” This can be extended by a further two months if the request is complex or a number of requests have been made by the data subject. The current ICO’s guidance now states that the time limit for a response starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. Therefore, if the SAR was received on 01 January 2021, the data controller should respond by 01 February 2021.
See full report: ICO’s Enforcement Notice
UK: January 2022 saw the conclusion of an inquiry led by the European Data Protection Supervisor
Similarly an inquiry opened in 2019, EDPS have ordered Europol ‘to delete data concerning individuals with no established link to criminal activity ’. They also enforced a stricter time limit for Europol to manage data stored, meaning they must delete the sets of data that are uncategorized within a 6 month deadline – allowing an initial 12 months to sort though the existing data stored with seemingly no Data Subject Categorisation. Europol regulation currently allows extraction and processing of personal data on individuals under categorisations including witnesses, victims, informants, suspects, and potential future criminals, as well as the contacts of such. This sanction is aimed at reducing the risk to individuals fundamental rights to data protection, by avoiding potential privacy breaches or a data subject being incorrect link to illegal activity.
View the press release: 2022 EDPS order to Europol
EU: Understanding European Data Protection Law
The Certified Information Privacy Professional / Europe (CIPP/E) ‘Body of Knowledge’ goes beyond the GDPR.
Module 1 introduces the European Data Protection Laws and Module 11 covers ‘Supervision and Enforcement’, which includes the role of the Data Protection Authorities and the European Data Protection Supervisor, the data protection regulator of the EU as an entity.
Find out more: CIPP/E training and certification