
DSAR Deadlines: How Fast Must You Respond, and How Never to Miss One
Short answer
A data-subject request must be answered within one month of receipt under Article 12 GDPR. The month runs from the day the request arrives, not the day you notice it, and it can be extended by two further months only for genuinely complex or numerous requests, with the extension communicated inside the first month. The controller, not the EU representative, is responsible for the response. The reliable way to stay inside the window is to track every request from the moment it lands and be reminded until it is confirmed handled.
Someone emails and asks for a copy of everything you hold about them. Or to delete it. Or to correct it. The moment that request lands, a clock starts, and it is shorter than most non-EU companies expect. The uncomfortable part is that many businesses learn how long they had only after they have already run out of it.
This is the plain-English version: how long the GDPR gives you, when the clock starts, who is actually on the hook, and how to make sure a deadline never slips past you unnoticed.
The deadline: one month, and it starts on receipt
Article 12(3) sets the rule. You must respond to a data-subject request "without undue delay and in any event within one month of receipt." That is the number to remember: one month.
Two details trip people up. First, the clock starts on receipt, not on the day you notice the request. A message that sits unread in a shared inbox for two weeks has already burned two weeks of your month. Second, the month is a calendar month, so a request received on the 10th is due by the 10th of the next month, not thirty days later to the hour.
There is an extension, but it is narrower than it sounds. You can add up to two further months where the request is genuinely complex or where you have received a number of requests at once. But you have to tell the person you are extending, and why, within the first month. Miss that window and the extension is not available to you. So in practice, unless you actively claim more time in the first four weeks, one month is your deadline.
Who has to answer: you, not your representative
This is the point that surprises people who have appointed an EU representative under Article 27 and assume the obligation has moved.
It has not. The representative is your point of contact inside the Union: the address a data subject or a regulator writes to, so that someone reachable in the EU receives the request. But the legal duty to actually answer the person, and to answer on time, stays with you, the data controller. You are the one who holds the data and knows what to do with it. Your representative cannot see inside your systems and cannot reply on your behalf.
A representative moves the mailbox into the EU. It does not move the deadline off your desk.
So the honest division of labour is this: the request comes in through your representative, you respond to the person, and a good representative makes sure the clock never runs out quietly in between.
Why deadlines get missed
Companies rarely miss a DSAR deadline because they refused to comply. They miss it because the request never reached the right person, or reached them and then slipped down the pile. The failure is almost always operational, not deliberate:
- The request went to a generic address that nobody owns.
- It arrived while the one person who handles them was on leave.
- It was logged, then quietly forgotten with three weeks still on the clock, which felt like plenty of time until it was not.
None of these are exotic. They are the ordinary ways a one-month window closes while everyone assumes someone else is watching it.
How Usantis keeps the clock from running out
This is exactly the gap our representation service is built to close, and it is worth being precise about what it does and does not do.
The moment a request comes in through your hosted compliance page, it appears in your dashboard and we email you. From there we track the Article 12 clock for you: you get a reminder when the request arrives, another a few days in, and again as the one-month deadline approaches. When you have replied to the person directly, you mark the request as answered in a single click, and the reminders stop. If a request is still open after a week without that confirmation, we flag it and follow up with you, so it does not drift.
What we do not do is answer the request for you or vouch that your answer was correct, because only you can see your data and decide how to handle it. We do not guarantee compliance. What we make sure of is narrower and genuinely useful: that no deadline passes unnoticed on our watch. For a small team that handles requests between everything else, that is usually the difference between a routine reply and a regulator's letter.
What to do the day a request lands
If you take one operational habit from this article, take this: treat the arrival date as day one and work backwards from the deadline, not forwards from today. Confirm who the request is from, decide whether you need to verify their identity, gather the data or make the change, reply to them directly, and then close the loop by recording that you have done it. Keep the record; a documented, on-time response is your best evidence if the request is ever escalated.
If you are still deciding whether you even need an EU representative to receive these requests in the first place, our Article 27 explainer and the 60-second compliance checker are the fastest way to find out. And if you already have EU users, the deadline in this article is already running the next time someone asks.
Frequently asked questions
Written by
Usantis
The Usantis editorial team writes about EU representation and Article 27 GDPR for companies based outside the EU. More articles
Stay off the enforcement tracker.
See whether Article 27 applies to you in about a minute, then set up your EU representative.