Back to Blog
DSARDeadlinesGDPR Compliance

The 30-Day Clock: How to Manage DSAR Deadlines and Legal Extensions

J

Jerisaliant

Author

The 30-Day Rule

Under GDPR Article 12(3), controllers must respond to a DSAR without undue delay and in any event within one month of receipt. This is a hard deadline, not a target. The 30-day clock starts ticking from the day after the request is received, regardless of how it was submitted (email, web form, letter, verbal).

If the deadline falls on a weekend or public holiday, the deadline extends to the next working day. However, do not rely on this technicality, as it only applies to the final day of the period.

When Can You Extend?

Article 12(3) permits an extension of up to two additional months when the request is complex or when you have received a large number of requests from the same individual. To use this extension:

  1. Notify the data subject within the first 30 days that an extension is needed.
  2. Explain the reason for the delay (complexity or volume).
  3. The total response time must not exceed three months from the original request date.

Common grounds for extension include: requests covering many years of data, data spread across numerous systems, requests requiring significant redaction of third-party information, or requests involving complex legal assessments (e.g., determining if an exemption applies).

Building a Deadline-Proof Process

Automated Intake

Implement a centralized intake system that captures every DSAR regardless of channel and immediately timestamps it. Manual intake (where a DSAR sits in someone's inbox for days before being logged) is the primary cause of deadline breaches.

SLA Tracking

Assign internal SLAs that are shorter than the legal deadline to build in buffer time:

  • Day 0-3: Intake, log, verify identity.
  • Day 3-10: Data search and collection across all systems.
  • Day 10-20: Review, redaction, and legal assessment.
  • Day 20-25: Response preparation and quality check.
  • Day 25-30: Final approval and delivery to the data subject.

Escalation Triggers

Set automated escalation alerts at key milestones: 50% of time elapsed, 75% of time elapsed, and 90% of time elapsed. Escalate to management if a DSAR is at risk of breaching its deadline.

Consequences of Missing Deadlines

Failing to respond within the deadline can result in:

  • Complaints to the supervisory authority.
  • GDPR fines under Article 83(5)(b) for infringement of data subject rights (up to EUR 20 million or 4% of global annual turnover).
  • Reputational damage and loss of customer trust.
  • Litigation by the data subject under Article 79.

Multi-Jurisdiction Timelines

Be aware that different regulations have different deadlines: CCPA allows 45 days (extendable by 45), LGPD requires a response in 15 days for simplified requests and up to a "reasonable" timeframe for others. Your DSAR management system must track jurisdiction-specific deadlines for each request.

Jerisaliant's DSAR module includes automated deadline tracking, milestone-based internal SLAs, escalation alerts, and multi-jurisdiction timeline management.

Ensure DPDPA Compliance Today

Ready to make your business compliant? Run a free gap assessment or talk to our experts.

Run Free Gap AssessmentRequest Demo