If someone asks for their data, you give it to them, scolds ICO.
A Buckinghamshire housing developer has been forced to pay up £1,500 after ignoring a person's request for information the company held on them.
Using subject access requests (SAR), people can ask organisations to provide all the personal data held on them.
Under data protection laws, companies have 40 calendar days to respond, but Magnacrest failed to meet this time frame for a SAR it received in April 2017.
The individual, who had also included a cheque for £10 – the fee that organisations were allowed to charge for processing SARs before the GDPR made them free – then complained to the UK's data protection watchdog.
The Information Commissioner's Office sent the firm letters in August, September and October requesting that it respond to the individual, and the spoke to Magnacrest on the phone in September.
However, it failed to take heed, and the ICO issued an enforcement notice (PDF) ordering it to comply in January 2018.
However, Magnacrest failed to do so, at which point the ICO brought a criminal prosecution against the firm.
That case was heard on 6 February in Westminster Magistrates' Court, where the housing developer pleaded guilty to a charge of failing to comply with an enforcement notice.
Magnacrest was fined £300 for the inaction, and ordered to pay £30 for a victim surcharge and some £1,133.75 towards prosecution costs.
"The right to access your own personal information is a fundamental and long-standing principle of data protection law," said Mike Shaw, the ICO's criminal enforcement manager.
"Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution."
The General Data Protection Regulation, brought into effect in May 2018, made it free for people to make SARs. ®
Source: The Register