GRC Answer
How long do you have to respond to a DSAR?
Under GDPR Article 12(3), a controller must respond to a data subject access request without undue delay and within one month of receiving it. The period can be extended by two further months for complex or numerous requests, giving a three-month maximum, provided you notify the individual within the first month and explain the reasons. The legal unit is one month, not 30 days; a month is calculated by the calendar. Acuna's data privacy management tracks each DSAR against a response deadline with a colour-coded countdown, records the one permitted extension with its rationale, and links the request to the processing activities that hold the subject's data.
Related questions