Skip links
hoggo post banner

Data Subject Requests (DSR) – Response Times

Why Are Data Subject Requests Timeframes So Important?

Complying with the needed time frame helps you avoid complaints and fines. For example, in Europe, a company that fails to comply with this requirement risks the highest fine possible under the GDPR (The General Data Protection Regulation) is 20 million euros or 4% of their worldwide turnover. A significant fine is likely to only be imposed by the regulators if a company consistently misses the one-month response deadline and disregards the GDPR in other ways. 

In the EU, GDPR enforcement is largely based on complaints. Even if a company will not incur the highest fine for missing a deadline, regulatory investigations triggered by complaining individuals drain a company’s resources and should be avoided as much as possible. In order to prevent complaints from being filed with the data protection authorities, your company might want to make sure that it sticks to the legal deadline and keeps the individuals making requests happy.

🇪🇺 Data Subject Requests Under The GDPR

When does the one-month period begin and end?

The answer can be found in the Regulation No. 1182/71, which determines the rules applicable to time periods, dates, and time limits.

  • While the time period actually starts when a request is made, you actually start with the next day when calculating the time period.
  • The time period to respond to an individual rights request ends at midnight of the day a month later.
  • If the day on which the time period ends does not exist in the month, the time period will end at midnight of the last day of that month.
  • The time period includes public holidays, Sundays and Saturdays.
  • If the last day of the time period falls on a public holiday, Sunday, or Saturday, the time period will end at midnight of the following working day.

Example 1: You receive an access request on June 30th. A one-month time period should be calculated from the next day, July 1, and will run until the corresponding calendar date in the next month. In this example, the time period ends on August 1 at midnight.

The shortest period that a month can last is 28 days and the shortest amount of time that a period of 3 consecutive months can last is 89 days.  Therefore, the following response times can be used as defaults to guarantee timely DSR fulfilment. It is also possible to strictly adhere to the ‘1 month/3 month’ approach, but the ‘days’ approach is often easier to implement into automated systems.

GDPR

Reply withinCount startsExtension
28 daysThe next day from when a request was madeAdditional 61 days

🇧🇷 Data Subject Requests Under The LGPD (Brazil)

The controller must respond to the data subject’s request immediately. Alternatively, the controller can:

  1. Inform the data subject that they are not the data processing agent, and indicate, wherever possible, who the data processing agent is; or
  2. State the reasons for which the measure cannot be adopted immediately based on fact or law.

The rights of confirmation of processing and access to data must be addressed by the controller immediately when in a simplified format or up to 15 days when in a clear and complete declaration (Article 19(II) of LGPD). For the other data subject rights, the ANPD must regulate the appropriate timeframe that should be observed by data controllers (Article 19 (§4º) of the LGPD).

Brazil - LGPD

Reply withinCount startsExtension
ImmediatelyFrom the day the requests was received Up to 15 days

🇺🇸 Data Subject Requests Under The California CCPA (+CPRA) 

When a California data subject exercises the Right to Know or Delete, businesses have 45 days to disclose and deliver the information. Under the CCPA, verifying a consumer’s identity is not an excuse to extend the deadline. However, with a valid reason for extension, the rights to Know or Delete can be extended to allow the controller a total time of 90 days to complete the requested DSR. The CCPA also requires businesses to confirm receipt of a consumer’s request and provide information about how it will process the request within 10 business days

When a consumer exercises their right to opt out, the controller must comply within 15 days, without the possibility of extension.

CCPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

Opt out requests

Reply withinCount startsExtension
15 daysFrom the day the requests was received Not possible

🇺🇸 Data Subject Requests Under The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA provides that controllers must respond to requests to exercise their consumer rights within 45 days, which may be extended once for an additional 45 days, with an explanation of the reason for delay. The VCDPA also grants consumers the right to appeal a controller’s refusal of such a request through a novel “conspicuously available” appeal process to be established by the controller.

Within 60 days of receiving an appeal, a controller must inform the consumer in writing of its response to the appeal, including a written explanation of the reasons for the decision. If the controller denies the appeal, it must also provide the consumer with an “online mechanism (if available) or other method” through which the consumer can submit a complaint directly to the Attorney General.

Virginia - VCDPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

Request to appeal a controller’s refusal of a data subject request

Reply withinCount startsExtension
60 daysFrom the day the requests was received Not possible

🇺🇸 Data Subject Requests Under Colorado Privacy Act (CPA)

Like the GDPR, CCPA, and VCDPA before it, under the CPA a controller must respond to a consumer rights request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business extends that deadline, it must notify the consumers within the initial 45-day response period with an explanation for the extension.

Like the VCDPA, the CPA also provides consumers the right to appeal a business’ denial to take action within a reasonable time period.  Unlike the VCDPA, the CPA provides controllers with a 45-day window to respond to the appeal and also allows for a 60-day extension to respond to the appeal when reasonably necessary.

Colorado - CPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

Request to appeal a controller’s refusal of a data subject request

Reply withinCount startsExtension
60 daysFrom the day the requests was received Not possible

🇺🇸 Data Subject Requests Under The Utah Consumer Privacy Act (UCPA)

Like other privacy acts, the Utah privacy law gives consumers a number of rights related to their personal data, including the right to:  

  • Access and delete personal data. 
  • Opt out of the collection and use of personal data for certain purposes. 
  • Obtain a copy of their personal data in a format that is feasible, practicable, readily usable, and portable. 

According to the UCPA, within 45 days after the day a request is received, controllers must take action on the consumer’s request: and inform the consumer of any action taken on the consumer’s request.

The controller may extend by an additional 45 days if:

  • Reasonably necessary due to the complexity of the request or the volume of the requests received by the controller
  • The controller has informed the requestor about the extension within the original 45 days time frame, including the length of the extension and the reason.

Utah - UCPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

🇺🇸 Data Subject Requests Under Texas Data Privacy and Security Act (TDPSA)

The TDPSA requires covered businesses to establish two or more secure and accessible methods (through the website or by email in specified circumstances) for consumers to submit authenticated requests to exercise their rights with respect to their personal data.

Responses to consumer requests are due within 45 days of receipt, subject to a 45-day extension, when reasonably necessary. Controllers must provide information in response to a consumer’s request “at least twice annually per consumer” and free of charge, unless the request is “manifestly unfounded, excessive, or repetitive.”

Texas - TDPSA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

🇺🇸 Data Subject Requests Under Montana Consumer Data Privacy Act (MTCDPA)

Consumers have the option to exercise their rights by submitting requests through any of the methods outlined in the privacy policy. You are obligated to respond within 45 days. For more complex requests, this timeframe may be extended by an additional 45 days.

If a controller denies a request, the consumer retains the right to appeal the decision, and the controller must provide guidance on how to proceed with the appeal process. The controller is given a timeframe of 60 days to respond to such appeals.

Montana - MTCDPA

Reply withinCount startsExtension
45 daysFrom the day the requests was received Additional 45 days

🇬🇧 Data Subject Requests Under The UK GDPR

What is a calendar month?

According to the ICO, a calendar month starts on the day the organisation receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month. 

Example

The request was received on 3 September. The time limit begins on the same day, so the organisation has until 3 October to respond. Calendar months end on the next working day if the end date falls on a Saturday, Sunday, or bank holiday.

UK GDPR

Reply withinCount startsExtension
28 daysFrom the day the requests was received Additional 61 days

Penalties For Noncompliance With Data Subject Requests Response Times

It can be particularly onerous for companies to fail to comply with DSR response time requirements. According to GDPR, the maximum fine for infringements is 20 million euros, or 4% of annual global turnover, whichever is greater. Companies that violate the CCPA, are subject to civil penalties between $2,500 and $7,500.

Noa_Kahalon
Noa Kahalon
COO at hoggo | + posts

Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.