Missing a DSAR deadline is not a theoretical risk. It's the single most common complaint filed with European data protection authorities, and it triggers enforcement actions that range from formal reprimands to seven-figure fines.
Here's what actually happens when you miss one.
The Immediate Consequences
1. The Data Subject Complains
Most data subjects don't file complaints on day one after the deadline passes. They wait. They follow up by email. They give you a second chance.
But when weeks pass without a response — or worse, without any acknowledgement — they file a complaint with their supervisory authority. In the EU, every member state has a data protection authority (DPA) that accepts complaints online, often in under five minutes.
Once a complaint is filed, you've lost control of the timeline. The DPA sets the pace, and they have no incentive to rush on your behalf.
2. The Supervisory Authority Investigates
DPA investigations follow a pattern:
- Initial inquiry: The DPA contacts you, typically by letter, requesting your response to the complaint and documentation of your DSAR handling process.
- Evidence request: They ask for your Record of Processing Activities, DSAR policies, and — critically — evidence of when you received the request and what you did about it.
- Assessment: The DPA evaluates whether you had adequate processes, whether the delay was justified, and whether this is an isolated incident or a pattern.
The investigation itself is burdensome. Responding to a DPA inquiry takes significantly more time and effort than responding to the original DSAR would have.
3. The Outcome
Depending on the severity and your cooperation, the DPA can:
- Issue a formal reprimand — documented, but no fine
- Order you to comply with the DSAR within a specified timeframe
- Impose a fine — up to EUR 20 million or 4% of global annual turnover, whichever is higher
- Issue a temporary or permanent processing ban — this is rare but devastating
Real Enforcement Examples
Late Responses Trigger Fines
The Austrian DPA fined an organization EUR 18 million in part because DSAR responses were systematically delayed. The Italian DPA (Garante) has imposed fines exceeding EUR 1 million for DSAR handling failures. In 2024, the Belgian DPA fined a company specifically for failing to respond to a right of access request within the legal deadline.
These aren't outliers. The European Data Protection Board's annual reports consistently show that right of access (Article 15) complaints represent the largest category of complaints across member states.
Pattern Matters More Than Individual Cases
A single late response to an unusual or complex DSAR might result in a reprimand. But a pattern of missed deadlines — indicating systemic failure — dramatically increases the fine. DPAs look for:
- Whether you have documented DSAR procedures
- Whether staff are trained on the procedures
- Whether you have systems to track deadlines
- Whether previous complaints have been addressed
- Whether the delay was due to negligence or deliberate obstruction
An organization that can show documented processes, training records, and an evidence trail for how it handles DSARs is in a fundamentally different position than one that has nothing.
Beyond Fines: The Hidden Costs
Reputational Damage
DPA decisions are published. In many jurisdictions, the name of the organization is included. A Google search for your company name returning a DPA enforcement action is difficult to undo.
For B2B companies, this is especially damaging. Enterprise buyers conduct due diligence on privacy practices. A published enforcement action becomes a procurement blocker.
Due Diligence Failures
M&A transactions increasingly include privacy compliance as a diligence item. Missed DSAR deadlines, open complaints, and enforcement actions directly impact valuation. Acquirers see these as inherited liabilities — and they discount accordingly.
Customer Trust Erosion
Data subjects who file complaints talk about it. Online forums, social media, and review sites amplify individual experiences. "They ignored my data request for three months" is the kind of statement that damages brand perception far beyond the individual case.
Internal Resource Drain
Responding to a DPA investigation requires legal counsel, compliance team time, IT involvement for evidence gathering, and management attention. Conservative estimates put the cost of responding to a DPA inquiry at EUR 15,000-50,000 in internal resources alone — before any fine is imposed.
The CCPA and Other Laws
The GDPR isn't the only law with DSAR enforcement teeth.
California (CCPA/CPRA): 45-day response deadline. The California Attorney General and the new California Privacy Protection Agency actively enforce. Fines up to $7,500 per intentional violation — and each unresponded DSAR is a separate violation.
Virginia (VCDPA): 45-day deadline. The Attorney General can impose fines up to $7,500 per violation.
Colorado (CPA): 45-day deadline with only a 15-day extension (compared to GDPR's 2-month extension). Attorney General enforcement.
UK GDPR: Same rules as EU GDPR, enforced by the ICO. The ICO has issued multiple reprimands and enforcement notices for DSAR failures.
Brazil (LGPD): 15-day deadline — one of the shortest globally. The ANPD is ramping up enforcement.
For organizations operating across jurisdictions, the challenge multiplies. Each law has different deadlines, extension rules, and exemption criteria. Missing a deadline under one law while compliant under another still results in enforcement in that jurisdiction.
How to Prevent Missed Deadlines
The solution isn't complicated, but it requires discipline:
- Central intake: Every DSAR, regardless of channel (email, phone, form, social media), must be logged in a central system immediately
- Automatic deadline calculation: Calculate the deadline from the day after receipt, accounting for the specific jurisdiction's rules
- Assignment and tracking: Every case needs an owner and visible deadline tracking
- Escalation triggers: Automated alerts at 7 days, 3 days, and 1 day before deadline
- Extension management: If you need more time, notify the data subject within the first month — and document the reason
- Evidence capture: Timestamp every action — receipt, verification, search, compilation, response delivery
- Regular review: Monthly review of open cases, average response times, and near-misses
The organizations that consistently meet DSAR deadlines aren't the ones with the largest compliance teams. They're the ones with systems that make it impossible to forget.
Key Takeaways
- Missing a DSAR deadline is the most common trigger for DPA complaints
- Fines are increasing, and mid-market companies are now in scope
- The investigation costs often exceed the fine
- A pattern of missed deadlines is treated far more severely than an isolated case
- Prevention requires systematic tracking, not just good intentions
- Evidence of your process is as important as the process itself