When does the clock start ticking for a subject access request?

Share This Post

On the face of it, it seems quite simple: you get one month to deal with a subject access request (SAR or DSAR); Article 12 of the GDPR states the information should be provided “without undue delay and in any event within one month of receipt of the request“, but exactly when does the month time limit start and is that 30 days, 31, the same day of the next month?

This week the ICO published a minor update to their guidance about timescales for dealing with SAR, but actually this update post is a little misleading as the timescales are set for other rights for as well, not just the access right, it also applies to the right to erasure, right to portability, etc. Oddly the update comes from a Court of Justice of the European Union ruling from November 2004, which doesn’t specifically relate to data protection, but does set out the court’s interpretation of when time limits start. The outcome is the ICO now say the month deadline starts on the day the request is received (not from the next day), so that SAR that arrives on the 3rd September now needs to be dealt with by 3rd October.

However, when it comes to time limits for SAR and some of the other individuals’ rights it’s not actually that straightforward and sometimes they will have to be dealt with in less than a month. The point is it’s not a question of how you interpret how many days in a month (is it 30, 31, or maybe 28 if you’re talking about February), but more about a general “month” limit. In the ICO guidance the ICO states that if the same day of the month is not available in the next month (e.g. a request on the 31st March when there’s no 31st April) then you have to complete the request by the end of the following month, so a SAR submitted on the 31st March would need to be completed by 30th April, and a SAR submitted on the 31st January would have to be dealt with by 28th February (or 29th in a leap year), so not quite what you may have imagined and not a matter of the average days in a month. And the ICO states in its guidance “For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

So, there you have it – time limits aren’t always as obvious as they apparently seem and you may not have a full 30 or 31 days to respond to a SAR, but at least we now know the SAR clock starts ticking from the day you receive the request…

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy