GDPR Article 15 Time Limit: A Complete Guide to DSAR Deadlines and Compliance

Nov 29, 2025

The General Data Protection Regulation (GDPR) gives individuals powerful rights over their personal data. Among these rights, Article 15 – the Right of Access – is the one people use most frequently. Whenever someone submits a Data Subject Access Request (DSAR), asking for a copy of the data an organization holds about them, the company must respond within a strict legal timeframe.

This timeframe is known as the GDPR Article 15 time limit, and misunderstanding it is one of the most common compliance failures. Regulators across Europe routinely investigate companies for responding late, failing to provide updates, or misusing the extension period.

This article breaks down the one-month rule, the possible extension, what “complexity” really means, and how companies can navigate DSAR time limits effectively and lawfully.

What GDPR Article 15 Says About Time Limits

Article 15 itself deals with the right of access, but the actual time limit comes from GDPR Article 12(3), which applies to all data subject rights.

The rule is simple:
Organizations must respond to an access request without undue delay and at the latest within one month of receiving it.

The “one month” requirement is strict and measurable, not an approximation.

One month means the same day of the next month

If a DSAR is received on 10 March, the deadline is:

10 April

If the next month has fewer days, the deadline is the last calendar day.

When the One-Month Clock Starts Running

A crucial part of compliance is knowing the exact moment the countdown begins.

The one-month timeframe starts as soon as the organization receives the request, not when it is read, reviewed, or assigned.

This includes:

  • Requests submitted via email or contact form

  • Verbal requests

  • Social media messages

  • Customer support tickets

  • Requests addressed to any department

  • Requests sent to any employee

GDPR does not require a DSAR to use special language.
A message as simple as “I want to access my data” triggers the obligation.

Does Identity Verification Pause the One-Month Time Limit?

This is a crucial part of DSAR handling.

Yes — but only if verification is strictly necessary.

The clock begins when the company receives the request, but if the company cannot reasonably identify the requester, it can ask for additional information.

During this period:

  • The timer is paused

  • The timer resumes when the person is successfully verified

But companies cannot deliberately delay verification. If they request unnecessary documents or make identity checks overly complicated, regulators may consider the delay unlawful.

Identity checks must be:

  • Reasonable

  • Proportionate

  • Relevant to the sensitivity of the data

For example:

Allowed: Asking for proof of identity before sending medical records
Not allowed: Asking for a passport copy to disclose an email subscription list

When the One-Month Deadline May Be Extended

GDPR gives organizations the right to extend the one-month deadline by two extra months — but only when strictly necessary.

In total:

  • Standard DSAR response time: 1 month

  • Maximum with extension: 3 months

However, the extension is allowed only in two cases:

1. When the request is complex

Complexity may arise due to:

a. Large volumes of data across many systems

For example:

  • Multiple databases

  • Emails, logs, archived systems

  • CRM + ticketing + analytics + HR systems

b. The presence of third-party data

If personal data is intertwined with another person’s information, redaction may be required.

c. The request includes complicated categories

Authentication logs, inferred data, risk scoring, internal notes, profiling data, and automated decision mechanisms often require legal review.

d. The person requests data in a specific, unusual format

Organizations must comply if possible, but it may take longer.

e. The request involves historical or archived data

If retrieval requires significant resources, it may qualify as “complex.”

2. When the organization receives multiple requests from the same data subject

This includes:

  • Simultaneous DSARs

  • Multiple rights requests (e.g., access + erasure + rectification)

  • Frequent requests about different types of data

But note: “frequent requests” do not automatically justify an extension. Regulators expect companies to demonstrate why the workload is excessive.

The Extension Must Be Communicated Within the First Month

The two-month extension is not automatic. It is only valid if the organization:

  1. Notifies the individual within the first month

  2. Provides a clear explanation

  3. Describes the reason for the delay

  4. States the new deadline clearly

If the company fails to communicate the extension in the first month, the request is automatically late.

What Does NOT Count as a Valid Reason for an Extension

Regulators have clarified repeatedly that certain situations do not justify extending the deadline.

These include:

✘ Internal workload

Being too busy is not a valid excuse.

✘ Staff shortages or holidays

Organizations must plan for DSAR obligations.

✘ Large number of DSARs

A flood of requests is not a justification.

✘ Lack of processes or disorganized data

Poor internal structure is not an excuse.

✘ Third-party delays

If a processor is slow, the controller is still responsible.

✘ Technical restructuring or system migration

DSAR duties remain in effect under all circumstances.

✘ Waiting for legal approval or internal reviews

Compliance deadlines override internal bureaucracy.

✘ Misinterpretation or confusion about the request

The request must be clarified quickly — not used as a delay tactic.

Companies sometimes assume they can request clarifications and pause the clock indefinitely. This is incorrect. Clarification is allowed only when needed, and the original request timeframe still applies.

How Supervisory Authorities Treat Delays

European Data Protection Authorities (DPAs) consistently view late DSAR responses as serious violations.

Complaints often arise when:

  • Companies miss the one-month deadline

  • Companies use unjustified extensions

  • Companies fail to explain delays

  • Companies ignore requests or provide incomplete responses

  • Identity verification is used abusively to stall the process

In many cases, fines have been issued for:

  • Responding late

  • Responding partially

  • Failing to inform the individual within the first month

  • Failing to document reasons for delay

DSAR time limits are strictly enforced because Article 15 is central to GDPR transparency.

Clarifying the Request: Does It Change the Time Limit?

Under GDPR, if a request is too broad, the organization can ask the individual to clarify what types of data they want.

However:

  • The one-month deadline still applies

  • The company must still respond in time even if clarification is not received

  • Companies cannot delay the request by repeatedly asking questions

If the individual fails to clarify, the company must:

  • Make a reasonable effort

  • Search for personal data based on the information available

  • Provide whatever data can be delivered within the timeframe

Clarification cannot be used as a tool to avoid compliance.

Providing Updates: An Often-Ignored Requirement

Even if the company can meet the one-month deadline, GDPR encourages:

  • Regular updates

  • Transparent communication

  • Clear explanations of progress

This becomes essential during extensions. Silence often leads users to file complaints, triggering investigations.

Real-Life Examples of DSAR Time Limit Compliance

Example 1: Standard Request (1-Month Deadline)

A customer requests access to their online store purchase history.
The company retrieves:

  • Account details

  • Order logs

  • Support conversations

  • IP data tied to the account

No complexity.
Deadline: 1 month

Example 2: Complex Request (3-Month Deadline)

A former employee requests extensive HR data:

  • Emails

  • Performance reviews

  • Disciplinary records

  • Payroll data

  • System access logs

  • CCTV footage

This requires redaction of other employee data, legal review, and coordination across departments.
Extension justified.
Deadline: 3 months

Example 3: Identity Verification Needed

A user emails from a different address than the account on file.
Verification requested immediately.
Time limit pauses until confirmation is received.
After confirmation, the 1-month deadline resumes.

Example 4: Request From Social Media

An individual messages the company’s official Instagram account requesting access.
The request is valid.
One-month timer starts when the message is received, not when it reaches the privacy team.

What Companies Should Do to Meet the Article 15 Time Limit

Compliance is easiest when organizations build strong internal processes.

Below are the most important practices.

1. Centralized DSAR Intake System

All staff must know that any request can trigger Article 15.
Companies should set up:

  • A dedicated DSAR email

  • Internal reporting channels

  • Automated notifications

2. Clear Identity Verification Protocols

Define when:

  • Email confirmation is enough

  • ID documents are justified

  • Additional verification is necessary

Make the process fast and predictable.

3. Automated Timers and Deadline Tracking

Use software or internal workflows to:

  • Record the date of receipt

  • Calculate deadlines automatically

  • Trigger reminders

  • Track paused time during verification

4. Data Mapping and Inventory

The most common cause of delays is not knowing where the data is stored.
Organizations must maintain:

  • A complete data inventory

  • A list of processors

  • A map of data flows

  • Retention schedules

5. Internal DSAR Workflows

Include:

  • Step-by-step instructions

  • Roles and responsibilities

  • Templates for responses

  • Redaction guidelines

  • Logging procedures

6. Secure Data Delivery Channels

This can include:

  • Encrypted files

  • Password-protected downloads

  • Secure portals

Security is essential when delivering personal data.

7. Document Extensions Thoroughly

If a request is complex:

  • Record the reason

  • Notify the individual in the first month

  • Provide details of the new timeline

  • Retain evidence

Documentation protects against audits.

Consequences of Missing the Time Limit

Failure to meet Article 15 deadlines can lead to:

  • Formal complaints

  • Regulatory investigations

  • Orders to comply

  • Administrative fines

  • Mandatory audits

  • Reputational damage

Even if the company eventually responds, a late reply is still a violation.

Conclusion: Article 15 Time Limits Are Strict, Enforceable, and Non-Negotiable

The GDPR Article 15 time limit is one of the most strictly enforced obligations under European data protection law. Organizations must respond to DSARs within:

  • One month for standard requests

  • Up to three months only in cases of justified complexity or volume

Businesses that prepare for DSARs with strong processes, clear communication, and proper documentation will avoid complaints and maintain regulatory compliance.