Close this search box.

Enforcement action when a business fails to comply with a Subject Access Request

GDPR & Data Protection Rights

In the latest episode of the podcast I covered the basics of what an employer needs to consider when dealing with Subject Access Request from employees under Data Protection legislation. Coincidentally in the latest newsletter update from the Information Commissioners Office (ico) details have been provided of a recent enforcement case.

The business, Hudson Bay Finance Limited (‘Hudson’), were subject to enforcement under the Supervisory Powers of the Information Commissioner, following a request for assessment under section 42 of the Data Protection Act by the data subject.

The complainant (who is not named) made a subject access request in writing on the 18th May 2018 to which there was no response from Hudson, and so she contacted the ico to complain on the 21st September 2018. The ico then wrote to Hudson on the 11th December 2018 and no response was received. The letter was resent on the 17th January 2019.

After no response to the ico correspondence they then telephoned Hudson on three occasions in March and on the last call Hudson hung up the telephone!

Several letters and calls were made again by the ico and when there was no answer the ico issued a preliminary enforcement notice requiring compliance with the subject access request. This was also ignored and so an enforcement notice was issued on the 9th August 2019.

The enforcement notice states:

In view of the matters referred to above, the Commissioner hereby gives notice that, in exercise of her powers under section 40 of the DPA, she requires that the data controller shall within 30 days of this Notice take steps to:

Inform the complainant whether the personal data processed by the data controller includes personal data of which the complainant is the data subject, and shall supply them with copies of any such personal data so processed in accordance with the requirements of section 7 of the DPA and the Sixth Data Protection Principle in that respect, subject only to the proper consideration and application of any exemption from, or modification to, section 7 of the DPA provided for in or by virtue of Part IV of the DPA which may apply.

Failure to comply with the enforcement notice is a criminal offence.

Whilst this is clearly an extreme case where the business have blatantly ignored the request from the individual and the ico it does illustrate that the ico will take action if you fail to comply with the requirements of the Data Protection Act when it comes to providing an individual with their data.

Useful Links

You can read the enforcement notice in full here:

You can find other enforcement notices and action taken by the ico here

You can listen to the episode here: PODCAST 129

My passion is to help employers and business owners to be the best employers they can and therefore if you want to be the best employer in your industry drop me an email to arrange a no obligation discussion and quote. Email:

This article was written by Alison Colley, Solicitor and Director at Real Employment Law Advice.

 Don’t forget getting advice from a Solicitor does not have to be complicated or costly!

Share This Article
Read More Articles
Any questions? Contact us

Appointments are available by telephone or via video call, so no matter where you are in England or Wales we can assist you.

The information contained in this blog post is provided for guidance and is a snapshot of the law at the time it is written. It is provided for your information only and should not be used as a substitute for obtaining legal advice that it specific to your particular circumstances.

The guidance should not be relied upon in any decision making process. It is strongly recommended that you seek advice before taking action.

Solicitor in Eastleigh | Solicitor in Salisbury | Solicitor Isle of Wight