Introduction to this document

GDPR time extension for data subject rights response

Using our letter, you can extend the one-month time period for compliance with a data subject rights request by a further two months if the request is complex or if you have received numerous requests from the individual.

Standard time limit

Under the UK GDPR, the time limit for responding to a data subject’s request for erase or rectification of their personal data, or to restrict the processing of it, is one month from the date of receipt of the request, although the legislation also states that you should respond “without undue delay”. This time limit is calculated from the day you receive the request, whether that’s a working day or not, until the corresponding calendar date in the following month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or public holiday, you have until the next working day to respond. This means that the exact number of days you have to comply with a request varies, depending on the particular month in which the request was made. For practical purposes, if you require a consistent number of days, e.g. for operational or system purposes, you may find it helpful to adopt a 28-day period so as to ensure compliance is always within one calendar month.

Extension of time

However, you can extend this time period for replying by a further two months where necessary, taking into account “the complexity and number of the requests”. The latter circumstance encompasses where you’ve received numerous data subject rights requests from the same person (note that these don’t need to necessarily be the same type of request), but it doesn’t apply where you’re busy because you’re currently dealing with a lot of requests submitted by different people. As for complexity, this is fact and context dependent and the more the data subject has narrowed down their precise request, the harder it will be for you to argue that it’s complex.

How to extend time

If you want to extend the time period, you must contact the data subject within one month of your receipt of their request to inform them and to explain why it’s necessary. You should set out in some detail the reasons for the delay. Our GDPR Time Extension for Data Subject Rights Response letter outlines a number of common reasons for extending the time to respond to an erasure, rectification or restriction of processing request, either because it’s complex or because the data subject has submitted numerous recent requests. These reasons are not intended to be exhaustive and you will need to delete, amend or add to them so that they’re relevant to your own particular business reasons.