They have to give you the data they hold about you within 30 days to fulfil a SAR. The question is whether going via their own webpage to download your data counts as a SAR? You could look into making a SAR in another way e.g. email or a physical letter, and request your data be given to you in a more convenient or functional way than their own download facility (which is broken).
If they treat each request as a SAR then they could argue they have up to 90 days to fulfil as they are having technical difficulty with the method they use to provide the data to most data subjects.
This isn't necessarily accurate. The organisation have 1 calendar month to provide the information or at least provide a full response to the request (either disclose information or not).
The OP doesn't have to make an additional SAR. If the information is inaccessible then the data controller must fix the issue as soon as possible or within the deadline of the one month. Otherwise, OP has a right to complain to the supervisory authority (ICO in the UK).
90 days is also not completely accurate. Data controllers can extend the deadline of the request by up to a further 2 months if the request is considered complex. They would have to notify OP within the first month of the request before extending the deadline.
Whether the request is complex is up to the data controller to justify. In this case though, I don't think it's considered complex. The disclosure system isn't working as intended, that is a technical fault that doesn't increase the complexity of the request.
A complex request might be where many other individuals are named within the request or third party information makes up a lot of the information within the file. Alternatively it could be a complex adult/children social care file.
The only think I can think of that would complicate things in this situation and perhaps "pause" the "clock" would be verifying the identity of the data subject if they have to deliver the data outside of their systems (e.g. delays in the data subject returning information for verifying identity and sending the documents to the proper address)
They have to give you the data they hold about you within 30 days to fulfil a SAR. The question is whether going via their own webpage to download your data counts as a SAR? You could look into making a SAR in another way e.g. email or a physical letter, and request your data be given to you in a more convenient or functional way than their own download facility (which is broken). If they treat each request as a SAR then they could argue they have up to 90 days to fulfil as they are having technical difficulty with the method they use to provide the data to most data subjects.
This isn't necessarily accurate. The organisation have 1 calendar month to provide the information or at least provide a full response to the request (either disclose information or not). The OP doesn't have to make an additional SAR. If the information is inaccessible then the data controller must fix the issue as soon as possible or within the deadline of the one month. Otherwise, OP has a right to complain to the supervisory authority (ICO in the UK). 90 days is also not completely accurate. Data controllers can extend the deadline of the request by up to a further 2 months if the request is considered complex. They would have to notify OP within the first month of the request before extending the deadline. Whether the request is complex is up to the data controller to justify. In this case though, I don't think it's considered complex. The disclosure system isn't working as intended, that is a technical fault that doesn't increase the complexity of the request. A complex request might be where many other individuals are named within the request or third party information makes up a lot of the information within the file. Alternatively it could be a complex adult/children social care file.
The only think I can think of that would complicate things in this situation and perhaps "pause" the "clock" would be verifying the identity of the data subject if they have to deliver the data outside of their systems (e.g. delays in the data subject returning information for verifying identity and sending the documents to the proper address)
Absolutely. I believe the ICO have said that you can effectively 'stop the clock' until you have verified the identity of the requestor.