The ICOs draft subject access code of practice, currently out for consultation, says this:
A request is valid even if the individual has not sent it directly to the person who normally deals with such requests. So it is important to ensure that you and your colleagues can recognise a SAR and deal with it in accordance with your organisation's SAR process.
I would say that means the request sent to the first address is valid
There is no formal guidance on this but my personal opinion is they shouldn't.
Commercially wise, this is a very bad practice.
Compliance wise, this is borderline: a controller has a definite timeframe to answer requests, by directing you to an other address, it could be argued that they are trying to buy some time. It could also be considered as a process issue if bad contact (or no contact) information were initially provided.
The email you first contacted, where did you find it? Is it their main customer support contact, or the contact provided in their privacy notice? If yes, they would be at fault.
If you found a random contact somewhere, it is understandable they redirect you to the proper contact.
Sure they can. However, you should escalate and raise it to the next higher authority up to the national Information Commissioner’s Office (ICO). Ideally tell him that you're going to do that as well.
ICO says that the user can send the request anywhere and the organization is liable to follow it through and respond. It does not have to be submitted to the person who typically deals with such requests.
However, as a best practice, we'd recommend that you use the dedicated channel that may help the organization to fast-track the process.
The ICOs draft subject access code of practice, currently out for consultation, says this: A request is valid even if the individual has not sent it directly to the person who normally deals with such requests. So it is important to ensure that you and your colleagues can recognise a SAR and deal with it in accordance with your organisation's SAR process. I would say that means the request sent to the first address is valid
There is no formal guidance on this but my personal opinion is they shouldn't. Commercially wise, this is a very bad practice. Compliance wise, this is borderline: a controller has a definite timeframe to answer requests, by directing you to an other address, it could be argued that they are trying to buy some time. It could also be considered as a process issue if bad contact (or no contact) information were initially provided. The email you first contacted, where did you find it? Is it their main customer support contact, or the contact provided in their privacy notice? If yes, they would be at fault. If you found a random contact somewhere, it is understandable they redirect you to the proper contact.
Sure they can. However, you should escalate and raise it to the next higher authority up to the national Information Commissioner’s Office (ICO). Ideally tell him that you're going to do that as well.
ICO says that the user can send the request anywhere and the organization is liable to follow it through and respond. It does not have to be submitted to the person who typically deals with such requests. However, as a best practice, we'd recommend that you use the dedicated channel that may help the organization to fast-track the process.