When a data subject submits a request under the GDPR, the clock starts ticking. You have one calendar month to respond — not 30 days, not 28 days, but one calendar month from the day after receipt. Getting this wrong is one of the most common compliance failures, and it accounts for a significant share of complaints filed with supervisory authorities.
The Basic Rule: One Calendar Month
Article 12(3) of the GDPR states that the controller shall provide information on action taken "without undue delay and in any event within one month of receipt of the request."
This means:
- A request received on January 15 is due by February 15
- A request received on January 31 is due by February 28 (or February 29 in a leap year)
- If the deadline falls on a weekend or public holiday, it extends to the next business day
When Can You Extend the Deadline?
The GDPR allows a two-month extension (for a total of three months) when requests are "complex or numerous." However, you must:
- Notify the data subject within the first month that you need more time
- Explain why the extension is necessary
- Document your reasoning — regulators will scrutinize vague justifications
Simply being busy or under-resourced is not a valid reason for extension. The complexity must relate to the request itself — for example, if the data subject's information is spread across dozens of interconnected systems.
Common Mistakes That Trigger Complaints
1. Counting From the Wrong Day
The clock starts the day after receipt, not on the day of receipt. If you receive a DSAR on March 1, day one of your countdown is March 2.
2. Ignoring Identity Verification Time
You may request identity verification before processing a DSAR. However, the deadline clock does not pause during verification. If verification takes two weeks, you have only two weeks left to fulfill the request.
3. Missing Verbal Requests
Under the GDPR, data subjects can make requests verbally — by phone, in person, or through customer service. If your organization only accepts written DSARs, you may be creating compliance risk.
4. Treating All Requests the Same
Different request types may have different processing requirements. An access request (Article 15) typically requires searching all systems, while a deletion request (Article 17) may require coordination with third-party processors.
How Different Jurisdictions Compare
While the GDPR provides one calendar month, other privacy laws have different deadlines:
| Law | Deadline | Extension |
|---|---|---|
| GDPR (EU) | 1 calendar month | +2 months |
| UK GDPR | 1 calendar month | +2 months |
| CCPA (California) | 45 calendar days | +45 days |
| VCDPA (Virginia) | 45 calendar days | +45 days |
| CPA (Colorado) | 45 calendar days | +15 days |
For organizations operating across multiple jurisdictions, tracking these varying deadlines manually is a recipe for missed deadlines and regulatory exposure.
Proving You Met the Deadline
Calculating the deadline correctly is step one. Proving you met it is step two. Regulators don't just ask whether you responded on time — they ask for evidence:
- When was the request received?
- When was the response sent?
- What systems were searched?
- Who handled the request?
- Was the data subject notified of any extension?
Without timestamped, tamper-proof records, your compliance assertion is just a claim. With cryptographic evidence capture, it becomes verifiable proof.
Key Takeaways
- One calendar month from the day after receipt — not 30 days
- Extensions require notification within the first month
- Identity verification does not pause the deadline clock
- Verbal requests count under the GDPR
- Document everything — regulators want evidence, not promises
Getting DSAR deadlines right is foundational to privacy compliance. But tracking deadlines across jurisdictions, capturing evidence, and generating audit-ready reports shouldn't require spreadsheets and calendar reminders.