If your organization processes personal data across borders, DSAR deadlines aren't a single number. They're a matrix of jurisdiction-specific rules that vary in timeframe, extension conditions, counting methods, and holiday handling.
Getting it wrong in one jurisdiction while compliant in another still results in enforcement action. Here's the definitive comparison.
The Major Privacy Laws
European Union — GDPR
| Parameter | Rule |
|---|---|
| Standard deadline | 1 calendar month from day after receipt |
| Extension | +2 months for complex/numerous requests |
| Extension notice | Within first month, with reasons |
| Business days or calendar? | Calendar month |
| Weekend/holiday adjustment | If deadline falls on weekend/holiday, extends to next business day |
| Identity verification | Allowed, but does NOT pause the clock |
| Fee | Free for first copy; reasonable fee for additional copies |
The calendar month rule means that a request received on January 31 is due February 28 (or 29). A request received on March 15 is due April 15.
United Kingdom — UK GDPR
Identical to EU GDPR in most respects since the UK retained GDPR principles post-Brexit. The ICO has published specific guidance clarifying that the one calendar month rule applies the same way.
California — CCPA/CPRA
| Parameter | Rule |
|---|---|
| Standard deadline | 45 calendar days from receipt |
| Extension | +45 calendar days |
| Extension notice | Within first 45 days |
| Identity verification | Required before processing; reasonable verification measures |
| Fee | Free (generally) |
CCPA gives more time upfront (45 days vs. ~30) but a shorter extension (45 days vs. 60).
Brazil — LGPD
| Parameter | Rule |
|---|---|
| Standard deadline | 15 days from receipt |
| Extension | Not explicitly provided in the law |
| Simplified format | Immediate or within 15 days |
| Complete format | Within 15 days, by clear and complete declaration |
Brazil's LGPD has one of the shortest deadlines globally. The 15-day window leaves almost no room for delay.
South Africa — POPIA
| Parameter | Rule |
|---|---|
| Standard deadline | 30 days from receipt |
| Extension | +30 days for reasonable grounds |
| Fee | Prescribed fee may be charged |
Canada — PIPEDA
| Parameter | Rule |
|---|---|
| Standard deadline | 30 days from receipt |
| Extension | +30 days with notice |
| Fee | Minimal or no cost |
Australia — Privacy Act
| Parameter | Rule |
|---|---|
| Standard deadline | 30 calendar days from receipt |
| Extension | +30 days with written notice |
| Charging | Access charges may apply |
India — DPDPA
| Parameter | Rule |
|---|---|
| Standard deadline | To be prescribed by rules (expected 30 days) |
| Context | India's Digital Personal Data Protection Act was enacted in 2023; implementation rules are still being finalized |
Japan — APPI
| Parameter | Rule |
|---|---|
| Standard deadline | Without delay (no specific number) |
| Practical expectation | 2-4 weeks considered reasonable |
South Korea — PIPA
| Parameter | Rule |
|---|---|
| Standard deadline | 10 days from receipt |
| Extension | +10 days with justified cause |
South Korea has one of the strictest deadlines, matching its broader pattern of aggressive data protection enforcement.
US State Laws
The United States has a patchwork of state-level privacy laws, each with its own deadline:
| State | Law | Deadline | Extension |
|---|---|---|---|
| California | CCPA/CPRA | 45 days | +45 days |
| Virginia | VCDPA | 45 days | +45 days |
| Colorado | CPA | 45 days | +15 days |
| Connecticut | CTDPA | 45 days | +45 days |
| Utah | UCPA | 45 days | +45 days |
| Texas | TDPSA | 45 days | +45 days |
| Oregon | OCPA | 45 days | +45 days |
| Montana | MCDPA | 45 days | +15 days |
| Iowa | ICDPA | 90 days | None |
| Tennessee | TIPA | 45 days | +15 days |
| Indiana | IDPA | 45 days | +30 days |
| Delaware | DPDPA | 45 days | +45 days |
| New Hampshire | NHPA | 60 days | +30 days |
| New Jersey | NJDPA | 45 days | +45 days |
Most US states have converged on 45 days, but extension periods vary significantly — from 15 days (Colorado, Montana, Tennessee) to 45 days (California, Virginia, most others). Iowa is an outlier at 90 days with no extension.
The Complexity Problem
For an organization operating in the EU, UK, California, and Brazil, a single DSAR could have four different applicable deadlines:
| Jurisdiction | Standard | Maximum |
|---|---|---|
| EU GDPR | ~30 days | ~90 days |
| UK GDPR | ~30 days | ~90 days |
| CCPA | 45 days | 90 days |
| LGPD | 15 days | 15 days |
If the requester is a Brazilian resident, you have 15 days. If they're a California resident, you have 45. If they're an EU resident, you have one calendar month.
Applying the wrong deadline — even if it's the deadline from a law you are compliant with — is a violation in the requester's jurisdiction.
Managing Multi-Jurisdiction Deadlines
Step 1: Determine Applicable Jurisdiction
At intake, identify which privacy law applies based on:
- The data subject's country/state of residence
- Where the data was collected
- Which entity collected the data
In ambiguous cases, apply the strictest applicable deadline.
Step 2: Calculate Automatically
Manual deadline calculation across jurisdictions is error-prone. Calculate based on:
- The specific jurisdiction's rules (calendar month, calendar days, business days)
- Whether the deadline falls on a weekend or public holiday
- Jurisdiction-specific public holiday calendars
- The receipt date (not the reading date — when it arrived, not when someone opened the email)
Step 3: Track Internal Milestones
Don't just track the final deadline. Set internal milestones:
- Day 1: Acknowledge receipt, start identity verification
- 25% of deadline: Identity verified, search initiated
- 50% of deadline: Data compiled, review underway
- 75% of deadline: Response drafted, review by legal/compliance
- 90% of deadline: Final approval and delivery
- Deadline: If not complete, extension must have been communicated
Step 4: Document Everything
For each DSAR, your evidence trail should include:
- When the request was received (timestamped)
- Which jurisdiction's rules apply and why
- When identity was verified
- Which systems were searched
- When the response was sent
- If an extension was communicated, when and why
This evidence isn't just for internal records. It's what you'll present when a regulator asks how you handle cross-border DSARs.
Key Takeaways
- There is no universal DSAR deadline — it depends on the applicable jurisdiction
- Brazil (15 days) and South Korea (10 days) have the shortest deadlines globally
- Most US states have converged on 45 days but extensions vary from 15-45 days
- GDPR's calendar month is not 30 days — it's calculated month-to-month
- When in doubt, use the strictest applicable deadline — you can't go wrong by responding faster
- Automated calculation is essential for multi-jurisdiction compliance
- Document the jurisdiction determination — it's part of your audit trail