5

Suppose someone makes a GDPR subject access request for data that is always deleted after less than the required response period, (eg: CCTV footage that gets overwritten every 14 days). Does this mean the controller can always safely reply that they have nothing because they've already deleted whatever they may have had when the request was made?

This seems disappointing because they will have also collected more data in the month that they are allowed to take to respond, but if the subject makes another request for that data the controller gets another month by which time it will be deleted again.

The alternative seems unworkable too, because in order to have the data the the data controller would have to stop their normal deletion routine whenever they get a subject access request.

Is This answer correct to suggest that the response does not have to include data that was acquired after the request?

Tom V
  • 467
  • 2
  • 9

1 Answers1

7

In the UK, the Information Commissioner's Office is clear about this. If data is routinely deleted, it need not be included in a response even if the deletion occurs while dealing with the request. But you can't delete it outside the normal processes because you got a request:

It is our view that a SAR relates to the data you held at the time you received the request. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it is reasonable for you to supply the information you hold when you respond, even if this is different to what you held when you received the request.

However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DPA 2018, it is an offence to make any amendment with the intention of preventing its disclosure.

A company's documentation of data retention procedures would often make it clear if data had been improperly deleted or not, so they would not get away with improper deletion. They refer to the Data Protection Act (DPA) 2018.

Source: For organisations, UK GDPR guidance and resources, Individual rights - guidance and resources, Right of access, How do we find and retrieve the relevant information?, Information Commissioner's Office, acccessed 4 March 2025.

Stuart F
  • 489
  • 5
  • 8