DSAR Response Deadlines Across 6 Regions: What You Need to Know

You just received a data subject access request from an email address ending in .com.br. Your team confidently marks it for the standard 30-day GDPR timeline. Two weeks later, you receive a formal complaint from Brazil's data protection authority. The problem? Brazil's LGPD gives you just 15 days to respond — half the time you thought you had.

If your company operates across multiple jurisdictions, you're navigating a minefield of conflicting DSAR deadlines. What counts as "day one"? Are those calendar days or business days? Can you extend the deadline, and if so, how? A single mistake can trigger regulatory complaints, damage customer trust, and expose your organization to enforcement action.

This guide breaks down DSAR response deadlines across six major regions, highlights the critical differences that catch companies off guard, and provides a practical framework for managing multi-jurisdiction compliance without missing a single deadline.

Why DSAR Deadlines Vary So Dramatically

Data subject access requests — the right for individuals to obtain a copy of their personal data — exist in virtually every modern privacy law. But the timeline for compliance varies wildly depending on where your data subject lives.

These differences aren't arbitrary. They reflect each jurisdiction's policy priorities:

Consumer protection focus: Jurisdictions like Brazil prioritize rapid response to empower individuals, resulting in aggressive 15-day deadlines.
Business practicality: Laws like GDPR balance individual rights with operational reality, allowing 30 days plus extensions for complex requests.
Regulatory maturity: Newer laws (like India's DPDP) are still developing implementing rules, leaving some details uncertain.
Enforcement philosophy: Some regulators (like Canada's Privacy Commissioner) emphasize "reasonable" timelines over strict numerical deadlines.

For companies operating globally, this creates a compliance challenge: you must track which law applies to each request, calculate the correct deadline, and ensure your process can meet the shortest timeline in your operational footprint.

Europe: The 30-Day Standard

GDPR (European Union)

The General Data Protection Regulation established the gold standard that most subsequent privacy laws have followed: 30 calendar days from receipt of a valid request.

Key details:

Clock starts: When you receive a verifiable request (not when you complete identity verification)
Extension allowed: You can extend by an additional 60 days (90 days total) for complex or numerous requests, but you must notify the requester within the original 30-day window and explain why the extension is necessary
Calendar vs. business days: Calendar days — weekends and holidays count
Verification time: Time spent verifying identity does not stop the clock; verification must happen within the 30-day window

Common pitfall: Many companies mistakenly believe the 30 days starts after identity verification is complete. It doesn't. The GDPR's Article 12(3) is clear: the controller "shall provide information on action taken on a request under Articles 15 to 22 without undue delay and in any event within one month of receipt of the request."

UK GDPR

Post-Brexit, the UK maintains an identical 30 calendar day deadline with the same extension rules as EU GDPR. The Information Commissioner's Office (ICO) has confirmed that UK GDPR should be interpreted consistently with EU GDPR on timing.

Switzerland nFADP

Switzerland's revised Federal Act on Data Protection (nFADP), effective September 2023, also follows the 30-day timeline. However, Swiss law emphasizes "without undue delay," and the Federal Data Protection and Information Commissioner (FDPIC) has indicated that 30 days should be treated as a maximum, not a target.

For more details on European privacy laws, visit our Europe region hub.

Americas: From 10-Day Acknowledgments to 15-Day Mandates

Brazil LGPD: The Strictest Deadline in the World

Brazil's Lei Geral de Proteção de Dados (LGPD) imposes the strictest DSAR deadline globally: 15 days, with the possibility of extending for an additional 15 days in specific cases.

Critical differences from GDPR:

15 days, not 30: Your response window is cut in half compared to European standards
Extension is rare: Unlike GDPR's automatic right to extend for complex requests, LGPD extensions require justification and are granted far less liberally
Calendar days: Like GDPR, weekends and holidays count against you
Strict enforcement: Brazil's Autoridade Nacional de Proteção de Dados (ANPD) has shown little tolerance for missed deadlines

Real-world impact: If you operate in both the EU and Brazil, you cannot default to the 30-day GDPR timeline. Your DSAR workflow must flag Brazilian requests immediately and prioritize them for the 15-day deadline. Many companies adopt a "shortest deadline wins" policy, responding to all DSARs within 15 days to avoid jurisdiction-specific tracking.

Use our LGPD DSAR calculator to calculate exact deadlines including Brazilian holidays.

Canada PIPEDA: 30 Days with Flexibility

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires responses within 30 days of receiving a request. However, PIPEDA allows extensions "for a reasonable period" if:

Meeting the deadline would unreasonably interfere with the organization's activities
The time required to locate the information is considerable
The request is complex

You must notify the requester of the extension and provide reasons. Unlike GDPR's hard 90-day maximum, PIPEDA doesn't specify a cap on extensions, leaving "reasonable" to be determined case-by-case. The Office of the Privacy Commissioner of Canada (OPC) has indicated that extensions beyond 60 days should be exceptional.

United States: A Patchwork of State Deadlines

The U.S. has no federal DSAR law, resulting in a state-by-state patchwork:

CCPA/CPRA (California): 45 calendar days with a one-time 45-day extension (90 days total). You must acknowledge receipt within 10 days.
VCDPA (Virginia): 45 days, extendable once by 45 days
CPA (Colorado): 45 days, extendable once by 45 days
CTDPA (Connecticut): 45 days, extendable by 60 additional days (105 days total)
UCPA (Utah): 45 days, extendable once by 45 days

Common pattern: Most U.S. state laws follow California's model: 45 days with a 45-day extension, plus a 10-day acknowledgment requirement unique to CCPA/CPRA.

Critical difference: U.S. laws generally allow you to deny requests that are "manifestly unfounded or excessive" without providing the data. European laws are far more restrictive in allowing denials.

Use our CCPA DSAR calculator to track California-specific deadlines.

For more on privacy laws across the Americas, see our Americas region hub.

Asia-Pacific: From Prescriptive Timelines to "Without Delay"

China PIPL: 30 Days, Strictly Enforced

China's Personal Information Protection Law (PIPL) requires responses within 30 days. While this aligns with GDPR, China's enforcement approach differs significantly:

No public extension rules: PIPL doesn't explicitly allow extensions for complex requests
Strict interpretation: The Cyberspace Administration of China (CAC) has indicated that 30 days should be treated as a firm deadline
Cross-border considerations: If personal data has been transferred out of China, retrieval obligations may affect response timelines

India DPDP: Rules Pending

India's Digital Personal Data Protection Act (DPDP) was enacted in August 2023 but implementing rules are still pending as of 2026. The Act requires data fiduciaries to respond to access requests "as soon as reasonably practicable" but does not specify a numerical deadline.

Once rules are published, expect a timeline similar to GDPR (likely 30 days), but until then, "reasonably practicable" is the standard.

Japan APPI: "Without Delay"

Japan's Act on the Protection of Personal Information (APPI) requires disclosure "without delay" but doesn't specify a numerical deadline. The Personal Information Protection Commission (PPC) has indicated that responses should typically be provided within 30 days, but this is guidance rather than a hard requirement.

Practical implication: While 30 days is the safe harbor, "without delay" means you should respond faster if you can. A 30-day delay for a simple request that could be answered in 48 hours may not satisfy the "without delay" standard.

Singapore PDPA: 30 Days

Singapore's Personal Data Protection Act (PDPA) requires responses within 30 days. The Personal Data Protection Commission (PDPC) allows reasonable extensions if:

The request is complex
Numerous requests have been received
More time is needed to consult third parties

You must inform the requester of the extension within the initial 30-day period.

Australia Privacy Act: "Reasonable Period"

Australia's Privacy Act doesn't specify a numerical deadline. The Office of the Australian Information Commissioner (OAIC) has stated that a "reasonable period" is typically 30 days, but this depends on:

Complexity of the request
Volume of information
Resources required to locate and retrieve data

Practical standard: Default to 30 days, but document any factors that justify a longer timeline.

For more details, visit our Asia-Pacific region hub.

Africa & Middle East: POPIA and Emerging Frameworks

South Africa POPIA: 30 Days

South Africa's Protection of Personal Information Act (POPIA) requires responses within 30 days (referred to as "a reasonable period as may be prescribed," with regulations specifying 30 days). Unlike GDPR, POPIA doesn't explicitly allow extensions, though the Information Regulator has indicated that reasonable delays due to complexity may be acceptable if the requester is promptly informed.

Enforcement reality: South Africa's Information Regulator has actively enforced POPIA since 2021, issuing fines for non-compliance. The 30-day deadline should be treated as firm.

UAE PDPL: Rules Developing

The United Arab Emirates' Personal Data Protection Law (PDPL) is relatively new, and detailed regulations are still being developed. While the law establishes data subject rights, specific timelines for DSAR responses have not yet been codified.

Current guidance: Until regulations are published, apply a 30-day standard as a safe harbor, consistent with international best practices.

For more on African and Middle Eastern privacy frameworks, see our Africa & Middle East region hub.

Calendar Days vs. Business Days: A Critical Distinction

One of the most overlooked compliance traps: most privacy laws specify calendar days, not business days.

Jurisdiction	Day Type	Deadline	Actual Working Days (Approx.)
GDPR	Calendar	30 days	~21 working days
LGPD	Calendar	15 days	~10 working days
CCPA	Calendar	45 days	~32 working days
PIPEDA	Calendar	30 days	~21 working days
PIPL	Calendar	30 days	~21 working days

Why this matters: If you receive a GDPR DSAR on a Friday, the clock doesn't pause for the weekend. You've lost two days before Monday morning. A 30-calendar-day deadline gives you roughly 21 working days — less than you think.

Holiday complications: Public holidays vary by jurisdiction. A request received just before a long holiday weekend can cut your actual working time significantly. Use jurisdiction-specific DSAR calculators that account for local holidays to avoid surprises.

Our GDPR DSAR calculator automatically excludes European public holidays, giving you precise deadline dates.

What Counts as "Day One"?

When does the clock start ticking?

Most jurisdictions: The deadline starts when you receive a verifiable request, not when you:

Complete identity verification
Acknowledge the request
Locate the relevant data
Assign the request to a team member

Verification paradox: You must verify the requester's identity before disclosing personal data (to avoid unauthorized disclosure), but verification time counts against your deadline. This is why efficient verification workflows are critical.

Best practice: Implement a two-track process:

Immediately log the request and start the deadline clock
Simultaneously initiate identity verification (aim to complete within 3-5 days)
Begin data collection while verification is in progress (but don't disclose until verification completes)

CCPA exception: California's CCPA/CPRA requires you to acknowledge receipt within 10 days, creating a deadline-within-a-deadline. The 45-day response window still starts from receipt, but you must confirm receipt within the first 10 days.

Extension Rules: When Can You Buy More Time?

Extension rules vary dramatically:

GDPR / UK GDPR / Switzerland nFADP

Extension allowed: Yes, up to 60 additional days (90 days total)
Trigger: Complex request or numerous requests
Process: Notify requester within original 30 days, explain reason for delay
Limit: One extension only

LGPD (Brazil)

Extension allowed: Yes, up to 15 additional days (30 days total)
Trigger: Not clearly specified; interpreted narrowly
Process: Justify to the requester
Limit: One extension only
Enforcement reality: Extensions are granted less liberally than under GDPR

CCPA / Most U.S. State Laws

Extension allowed: Yes, 45 additional days (90 days total)
Trigger: "Reasonably necessary" due to complexity or volume
Process: Notify requester within 45 days, explain reason
Limit: One extension only

PIPEDA (Canada)

Extension allowed: Yes, for a "reasonable period"
Trigger: Unreasonable interference with activities, time to locate information, complexity
Process: Notify requester, provide reasons
Limit: No hard cap, but OPC guidance suggests 60 days should be exceptional

PIPL (China)

Extension allowed: Not explicitly permitted
Enforcement reality: 30 days treated as firm deadline

Pro tip: Extensions are a privilege, not a right. To justify an extension, document:

Number of requests received in the same period
Volume of data systems that must be searched
Technical complexity (e.g., legacy systems, third-party data)
Resources available to process the request

Multi-Jurisdiction Compliance Strategy

If you operate across multiple regions, you face a choice:

Option 1: Apply the Shortest Deadline as Default

Approach: Respond to all DSARs within 15 days (Brazil's deadline), regardless of jurisdiction.

Pros:

Simplifies workflow (one deadline for all requests)
Eliminates risk of jurisdiction misidentification
Demonstrates strong data subject rights culture
No need to track multiple timelines

Cons:

May strain resources for simple requests
Doesn't take advantage of longer timelines where available

Best for: Organizations with high DSAR volume and mature privacy operations.

Option 2: Jurisdiction-Specific Tracking

Approach: Identify the requester's jurisdiction and apply the corresponding deadline.

Pros:

Maximizes available response time
Efficient resource allocation

Cons:

Requires robust jurisdiction detection
Risk of misidentification (e.g., VPN use, traveler requests)
Complex workflow with multiple deadline tracks

Best for: Organizations with lower DSAR volume and clear jurisdiction identification (e.g., B2B with known customer locations).

Hybrid Approach: Tiered Response Times

Many organizations use a tiered system:

Tier 1 (Simple requests): 7-10 days, regardless of jurisdiction
Tier 2 (Moderate complexity): 15-20 days
Tier 3 (Complex/voluminous): Full legal deadline (30-45 days) with extension if necessary

This approach delivers fast responses for most requests while reserving the full deadline for genuinely complex cases.

Practical Implementation Tips

1. Automate Jurisdiction Detection

Use email domain, IP address, and stated residency to flag jurisdiction. Build in a "Brazil flag" that automatically prioritizes any request that might be subject to LGPD's 15-day deadline.

2. Build Verification Into Day 1-3

Don't let identity verification become a bottleneck. Use automated email verification for low-risk requests, and escalate to document-based verification only when necessary.

3. Use Deadline Calculators

Manual deadline calculation invites errors. Use jurisdiction-specific calculators that account for:

Calendar vs. business days
Local public holidays
Extension rules
Acknowledgment requirements (like CCPA's 10-day rule)

4. Document Everything

If you need to extend a deadline or deny a request, your documentation must be bulletproof. Maintain audit trails showing:

When the request was received
Verification steps taken
Data systems searched
Reason for any delays or extensions
Final response date

5. Monitor and Measure

Track key metrics:

Average response time by jurisdiction
Percentage of requests requiring extensions
Missed deadlines (even if no complaint was filed)
Complaints related to response time

Use this data to identify bottlenecks and improve your process before a regulator asks questions.

Key Takeaways

Brazil's 15-day LGPD deadline is the strictest globally — if you operate in Brazil, it dictates your entire DSAR workflow
Most deadlines are calendar days, not business days — weekends and holidays count against you
The clock starts when you receive a valid request, not when you complete verification or acknowledge receipt
Extension rules vary dramatically — GDPR allows 60 extra days, LGPD allows 15, PIPL allows none
U.S. state laws generally follow the 45-day pattern with 10-day acknowledgment requirements
Asia-Pacific laws range from prescriptive (30 days) to principle-based ("without delay")
Multi-jurisdiction strategy: Apply the shortest deadline as default (15 days) or implement jurisdiction-specific tracking with robust fallback
Automate jurisdiction detection, verification, and deadline calculation to avoid manual errors
Document every step — your audit trail is your defense if a deadline is challenged

If your company operates across borders, DSAR deadline management isn't just a compliance task — it's a core operational capability. Build your workflow around the strictest deadline you face, automate wherever possible, and treat every request as if a regulator is watching. Because increasingly, they are.