Introduction to this document

GDPR time extension for subject access response

You can extend the one-month period for compliance with a UK GDPR data subject access request by a further two months where requests are complex or numerous.

Two-month extension

Under the UK GDPR, the time limit for responding to a data subject access request (DSAR) is one month from the date of receipt of the request, although the legislation also states that you should respond “without undue delay”. The one-month time limit is calculated from the day you receive the request, whether it is a working day or not, until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the following month. If the corresponding date falls on a weekend or public holiday, you have until the next working day to respond. However, you can extend this time limit by a further two months where necessary, taking into account the complexity and number of the requests. The latter circumstance encompasses where you’ve received numerous requests from the same person; it doesn’t apply where you happen to currently be dealing with lots of DSARs submitted by different people. As for complexity, this is fact and context dependent and the more the individual has narrowed down their request, the harder it will be for you to show complexity.


If you want to extend the time period, you must contact the individual within one month of the DSAR’s receipt to inform them of the extension and to explain why it’s necessary. This means you’ll need to set out in some detail the reasons for the delay in responding. Our GDPR Time Extension for Subject Access Response sets out a number of common reasons for extending the time to respond to a DSAR, either because it’s complex or because the individual has submitted numerous recent DSARs. These reasons are not intended to be exhaustive and you will therefore need to delete, amend or add to them so that they’re relevant to your own business reasons for the delay.


If you do fail to comply with your obligations under the UK GDPR, including failing to comply with data subject access rights, the individual can complain to the Information Commissioner’s Office and you can be subjected to potential fines of up to £17.5 million or 4% of the worldwide annual turnover of the business, whichever is higher. The individual can also seek a court order for compliance with their DSAR and claim compensation for damage suffered as a result of the breach.