The Commissioner of Police for the City of London – Violation Found (United Kingdom, 2026)

The Commissioner of Police for the City of London (the controller) is responsible for law enforcement within the City of London, receiving subject access requests (SARs) falling under Part 3 DPA 2018 for law enforcement processing, as well as some SARs under the UK GDPR for non-law enforcement processing, such as employees’ SARs in HR matters. Several data subjects lodged complaints with the DPA regarding SAR compliance between 2023 and 2025. Subsequently, the DPA launched an investigation into the controller's compliance with SARs. The DPA found that between 1 April 2023 and 31 March 2024, less than half of the SARs submitted had received a response within the statutory time frame. However, the DPA noted that the controller’s compliance with SARs improved to 93% for the period of April 2025 to July 2025. Therefore, the DPA held that between 1 April 2023 and 31 July 2025, the controller infringed Article 12(3) UK GDPR and S45(3) DPA 2018 by failing to respond to subjects’ access requests within the statutory time frame and issued a reprimand along with a recommendation for bringing its activities into compliance.