Responsibility for complying with a subject access request lies with your organisation, as the data controller.
Your DPO will generally be responsible for fulfilling a DSAR, if you haven’t appointed a DPO, the responsibility should be given to someone with up-to-date data protection knowledge and training in GDPR compliance.
If you don’t have the internal expertise, qualifications and practical experience in this area of data protection you could be well advised to get some professional support.
If you use a processor, you need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the processor. You may not extend the one month time limit on the basis that you have to rely on a processor to provide the information that you need to respond.
This FAQ is in these categories: DSAR questions
