Compliance Blog

How Long Do I Have to Respond to a Data Subject Access Request Under GDPR?

One calendar month from receipt. That is the answer, under Article 12(3) of the GDPR. The clock starts when the controller receives the request, not when it processes or verifies it. What follows is the complete picture: how to count the month, when you can extend it, what the response must contain, what you can charge, and when you can refuse.

The one-month rule: Article 12(3)

GDPR Article 12(3) states that the controller shall provide information on action taken on a request under Articles 15 to 22 (which include the right of access) without undue delay and in any event within one month of receipt of the request.

"One month" means one calendar month, not 30 days. A request received on 15 January is due by 15 February. A request received on 31 January is due by 28 February (or 29 in a leap year) — the last day of the following month if there is no equivalent date. The EDPB's guidelines on data subject rights (05/2022) confirm this interpretation.

The extension: two further months for complex requests

Article 12(3) also permits an extension of up to two further months where requests are complex or numerous. The total maximum response period is therefore three months from receipt.

The extension is not automatic. To use it, you must inform the requester of the extension and the reasons within the first month. If you do not send that notification within the first month, the extension is not valid and you are in breach of the deadline. The notification must explain the complexity or volume issue that requires more time.

"Numerous" does not mean a single request covers a lot of data. It refers to multiple simultaneous requests from the same individual or across many individuals. A single individual making a standard access request for their customer account data is almost never a legitimate reason for an extension. An extension is more defensible where: the request spans multiple systems across different legal entities; the data requires complex retrieval across legacy systems with no central identifier; or the same individual has submitted multiple overlapping requests simultaneously.

What "receipt" means

The clock starts on receipt, not on identification of the requester or on internal processing. If a data subject sends a DSAR by email on 1 March and your team reads it on 3 March, the clock started on 1 March, not 3 March. Organisations frequently make the error of treating the clock as starting when they open and log the request rather than when they received it.

What about identity verification? The EDPB's guidance is clear: you may request additional information to verify identity where you have reasonable doubts, but this does not pause the clock. The clock continues to run while you verify identity. If verification takes two weeks, those two weeks come out of your one month. The only exception is where you cannot verify identity at all, in which case you can decline to act without breaching the deadline — but you must inform the requester.

A DSAR does not have to use the words "data subject access request" or cite Article 15. If someone asks "what data do you hold on me?" or "can you send me everything you have about me?", that is a valid DSAR. Organisations frequently fail to recognise informal requests as DSARs and miss the deadline as a result. Your intake process should capture any request for personal data in any format.

What the response must include

Article 15 sets out what a DSAR response must contain. It is more than just a copy of the data. The response must include:

• Confirmation that personal data is (or is not) being processed about the requester
• A copy of the personal data being processed
• The purposes of processing
• The categories of data being processed
• The recipients or categories of recipients to whom the data has been or will be disclosed
• The envisaged retention period, or if not possible, the criteria used to determine it
• The data subject's rights: to rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), and to object (Article 21)
• The right to lodge a complaint with a supervisory authority
• If the data was not collected from the data subject, any available information about the source
• The existence of any automated decision-making, including profiling under Article 22, with meaningful information about the logic involved

The EDPB has confirmed that providing a copy of the data without the accompanying information listed above does not constitute a complete response. Many organisations send a data export and consider the request closed. This is insufficient under Article 15.

Fees: almost never permitted

Article 12(5) states that responses to data subject rights requests must be provided free of charge. The only exception is where requests are manifestly unfounded or excessive, particularly if repetitive. In that case, you may charge a reasonable fee based on administrative costs, or refuse to act.

"Manifestly unfounded" is a high bar. A request is not manifestly unfounded simply because the requester does not specify what they are looking for, or because you believe they have an ulterior motive, or because the data they want is already available to them. You carry the burden of demonstrating the manifestly unfounded nature of the request. If you charge a fee or refuse, you must inform the requester within one month of receiving the request and explain your reasoning, the right to complain to a supervisory authority, and the right to seek judicial remedy.

When you can refuse

You can refuse to act on a DSAR only where the request is manifestly unfounded or excessive under Article 12(5), or where an exemption applies under national law (most EU member states have implemented exemptions for legal proceedings, professional legal privilege, and similar circumstances under Article 23).

Where you refuse, you must inform the requester within one month of receipt. The notification must explain why you are refusing and tell the requester they have the right to complain to a supervisory authority and to seek a judicial remedy. A refusal without this notification is itself a breach of Article 12.

CCPA equivalent: the right to know

The California Consumer Privacy Act (as amended by CPRA) provides a similar right under Section 1798.100: consumers may request the categories and specific pieces of personal information a business has collected about them. The response deadline under CCPA is 45 calendar days from receipt, with a possible 45-day extension for complex or numerous requests (with notice to the consumer).

The GDPR right of access is broader in scope than the CCPA right to know. GDPR requires disclosure of processing purposes, retention periods, and the full Article 15 contents listed above. CCPA requires disclosure of categories of personal information, categories of sources, business or commercial purpose for collection, categories of third parties with whom data is shared, and specific pieces of personal information collected. For organisations subject to both, a GDPR-complete response typically satisfies the CCPA requirement as well, but CCPA also requires disclosures about commercial purposes and sharing that GDPR does not frame in the same way.

For the CCPA access right in context, see the CCPA compliance checklist. For the GDPR rights framework including Articles 15 to 22, see the GDPR compliance checklist.

FAQ

When does the one-month GDPR response clock start?

The one-month period begins from the day the organisation receives the request. GDPR Article 12(3) uses "receipt" as the trigger. If you receive a DSAR by email on 5 March, the deadline is 5 April. You cannot pause the clock while verifying identity.

Can I charge a fee for a DSAR?

In most cases, no. GDPR Article 12(5) requires responses to be provided free of charge. The only exception is for manifestly unfounded or excessive requests, where you may charge a reasonable fee or refuse to act — but you must be able to demonstrate the excessive nature.

Can I refuse a data subject access request?

Only if the request is manifestly unfounded or excessive. If you refuse, you must inform the data subject within one month and explain the reasons, the right to complain to a supervisory authority, and the right to seek judicial remedy. You bear the burden of proving the refusal is justified.

What must a DSAR response include under GDPR?

Article 15 requires: confirmation of processing, a copy of the personal data, purposes, categories, recipients, retention periods, information about data subject rights, the right to complain to a supervisory authority, data source information, and details of any automated decision-making.

Does CCPA have an equivalent to the GDPR data subject access request?

Yes. CCPA Section 1798.100 gives California consumers the right to request their personal information. The response deadline is 45 calendar days, extendable by 45 days with notice. The right of access is similar in function but narrower in required disclosure scope than GDPR Article 15.