Gdpr, does this sound legit?

[DoughnutKitten76]

My employer appointed a new HR benefits/financial benefits supplier last year including to administer our pensions. They've mucked it up royally. I was affected and formally complained, got a final complaint response left with a "partially upheld" outcome but no "sorry & here's how we'll stop it ever happening again" which is what I'd hoped to get by raising a complaint. Frankly I don't plan to make any changes to my employee benefits including pension for now because I'm worried about them making worse mistakes (colleagues have been accidentally unenrolled and all sorts of strange things due to their poor IT systems).

Anyway:

Have referred it to the Financial Service Ombudsman and Pension Ombudsman. FOS have picked up the case and are reviewing, while PS say it's on hold until FOS investigators do their work and they'll investigate if it doesn't get resolved fully with FOS. Great.

However, as part of prepping the paperwork pack for the FOS, I submitted a Subject Access Request via the ICO online template service to this employee / benefits pension provider. Direct to their customer service email address.

The SAR timed out and they've not replied to the deadline ICO sets out. When I pointed this out and said I'd now be sending a report to the ICO too, I've had a message saying they acknowledge the request and have sent it over to my EMPLOYER 's data protection team to handle and they'll contact me directly.

So if say,I sent a SAR to get material for the FOS investigation to Company A (e.g. like Standard Life or Aegon, but it's neither of them) can/should they send it to, say, Sainsbury's Data Protection team if I work for Sainsbury's? I fail to see why they'd do this or if my employer would have access to all the right data/systems and I'm not impressed at the idea they're dragging their incompetence and my complaint towards my own employer's data team without warning.

Is this a normal response to a SAR? It seems not to me but I've only ever done 1 before.

No that's not right at all the information should come to you not a 3rd party

It depends. If company A is a data processor and your employer is the data controller, company A is correct that you need to request the data from your employer. However, if company A is the data controller, they should respond to your request.

I had a sort of similar issue. My employer was the data controller, so the SAR went to them.

I've read the ICO guides on controllers Vs processors and you're right, it's the only thing that could reasonably explain it. But they are beyond the deadline and haven't explained why it's gone to my employer explicitly. I'll see what happens. Thanks!

If, as seems to be the case, the company that you made a data subject access request (DSAR) against is a processor not a controller then your right of access under Article 15 UKGDPR is not engaged. They are not obliged to follow up on your request.

It is appropriate (not sure if it is mandatory) for them to pass the request to the data controller, in this case seemingly your employer. This they have done. Personally I think it is appropriate in these cases to answer the request explaining all this but not everyone does that.

If the data controller accepts a DSAR via this route they should deal with it according to the normal timeframes. However I guess they could argue they never received a DSAR from you.

You might do best to talk to your employer’s privacy team and submit a new DSAR if necessary.

I'd agree. Submit the SAR to the employer. It's common that supplier organisations are data processors and not controllers