Email and the Law

Changes To Subject Access Requests


Email marketing lists are the key to success in our business, but with them comes responsibilities which must be complied with under threat of legal penalty. But even strict compliance doesn’t mean there’ll be no problems. Some companies have experienced difficulties with regards to nuisance subject access requests (SARs) and the recent legal High Court judgement, Lees v Lloyds Bank plc, could confuse those not used to legal niceties.

The High Court listed circumstances where a court need not exercise its discretion to order a data controller to respond to a SAR. These included:

where the number and repetition of SARs amounts to abuse; 
where the reason for the request is to obtain documents and not personal data; and
Changes To Subject Access Requestswhere the purpose is to obtain such things as documents for litigation purposes.

It is dangerous taking High Court decisions at face value as they don’t always mean what they appear to. This one does not give you a right to ignore SARs solely on your assumption of what was in the mind of the person making the request. If you are plagued by what are, in your opinion, abusive SARs, then you probably should seek the advice of a lawyer.

When looking for clarification for email marketing requirements, most of us will turn to ICO guidance, but in this case it is less than precise. It states, quite clearly, that unless an exemption or restriction applies, the purpose for which an individual makes a SAR does not affect its validity, or your duty to respond to it. However, it adds in parentheses, unless it is a manifestly unfounded or excessive request. What makes it unfounded or excessive is unhelpfully not explained.

See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/what-should-we-consider-when-responding-to-a-request/

Lloyds Bank responded to each of the SARs in question, although in one particular case it took six months to do so. The case revolved around numerous and repetitive SARs from the same person. It took note of the fact that the purpose of a SAR was to obtain documents and not personal data.

As ever with such decisions, they apply to the specific details of the case decided on and cannot be transferred to another directly. It remains the remit of the court to decide whether or not an application is abusive. You probably want to read the judgement. As it is written in English you might be tempted to believe that you understand it and can apply it in your specific case. This is not necessarily so.

What use is a confusing High Court judgement, one that’s given rise to unspecific ICO guidance, to email marketing? 

Year on year, our subscribers become more aware of their rights and our obligations with regards to their personal data. Putting it the way I like it, simply, the decision re-emphasises the need for us to have comprehensive systems in place to monitor SAR requests and to highlight where abuse might be present. I’m afraid it is then a case of legal advice and, unfortunately, possibly legal process. The more records you have, the quicker it can be resolved.
 

WizBot

EMAIL MARKETING FREE TRIAL

30 days full functionality - No credit card required - INSTANT ACCESS