GDPR DSAR 30-Day Deadline: What Happens If You Miss It?

Under GDPR, organizations have 30 days (one calendar month) to respond to Data Subject Access Requests (DSARs). Missing this deadline can result in complaints to supervisory authorities, compensation claims, and reputational damage. This guide explains how to calculate deadlines correctly and what options exist when you can't meet them.

Understanding the 30-Day Rule

Article 12(3) states controllers must respond "without undue delay and in any event within one month of receipt of the request." The clock starts from the day after you receive the request, not the day you verify identity.

When Can You Extend the Deadline?

GDPR permits a two-month extension (total three months) only when requests are "complex or numerous." You must:

• Notify the data subject within the original one-month deadline
• Explain the reasons for the extension
• Document why the request qualifies as complex

What Qualifies as "Complex"?

• Large volumes of data across multiple systems
• Need to consult third parties
• Legal review required (e.g., litigation-related data)
• Requests involving multiple data subjects' information that must be redacted
• Technical challenges in locating or extracting data

Identity Verification and Deadlines

Article 12(6) allows you to request additional information to verify the requester's identity. However, this doesn't pause the clock indefinitely. Best practice:

• Request ID verification immediately upon receiving a DSAR
• Set a reasonable deadline for verification (e.g., 14 days)
• Document all communication and delays caused by the data subject
• If verification isn't provided, you can refuse to act—but must still respond within the deadline explaining why

Consequences of Missing Deadlines

Regulatory Action

• Complaints to supervisory authorities (triggers investigation)
• Enforcement notices requiring specific actions
• Administrative fines up to €20 million or 4% of global turnover
• Public enforcement decisions damaging reputation

Civil Claims

• Data subjects can claim compensation for distress
• Legal costs if claims proceed to court
• Class actions possible in some jurisdictions

In 2023, the UK ICO issued multiple reprimands specifically for DSAR response delays, emphasizing that "organizations must have adequate processes in place to meet statutory timescales."

Best Practices for Meeting Deadlines

• Acknowledge receipt immediately (within 24-48 hours)
• Establish a centralized intake process across the organization
• Pre-map data locations to accelerate searches
• Create response templates for common scenarios
• Set internal deadlines earlier than the legal deadline (e.g., 21 days)
• Escalate immediately when complexity is identified
• Track all DSARs in a single system with automated reminders

Handling Multiple Simultaneous DSARs

Receiving numerous DSARs at once (whether coincidentally or coordinated) creates resource challenges. Options include:

• Using the two-month extension with proper notification
• Implementing batch processing for similar requests
• Considering whether requests are "manifestly excessive" (high threshold)
• Temporarily reallocating staff resources

DSAR Response Content Requirements

Meeting the deadline requires providing complete information. Article 15 mandates disclosure of:

• Confirmation of whether data is processed
• Copy of the personal data
• Purposes of processing
• Categories of data
• Recipients or categories of recipients
• Retention period or criteria
• Right to lodge a complaint with a DPA
• Source of the data (if not collected from the individual)
• Existence of automated decision-making

Automating DSAR Management

Manual DSAR tracking via email and spreadsheets leads to missed deadlines, especially as request volumes increase. Common problems include lost requests, unclear ownership, and lack of audit trails.