Q&As

How do I calculate the time limit for responding to a data subject request?

read titleRead full title
Published on LexisPSL on 05/12/2019

The following Risk & Compliance Q&A provides comprehensive and up to date legal information covering:

  • How do I calculate the time limit for responding to a data subject request?
  • When does the clock start ticking?
  • Worked examples
  • Example 1
  • Example 2
  • Clarifying data subject access requests
  • Practical implications

The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data portability, a right to object to processing and a right not to be subject to a decision based solely on automated processing, including profiling, with strict time limits for complying.

You must respond to the data subject without undue delay and in any event within one month of receipt of the request, or within one month of receiving:

  1. any information you have requested to confirm the requester’s identity

  2. any fee you have charged

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. You must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. See Q&As: What makes a data subject access request ‘complex’? and How long do I have to comply with an access request?

When does the clock start ticking?

The Information Commissioner’s Office (ICO) originally said you should calculate the time limit starting on the day after you receive the request until the corresponding calendar date in the next m

Popular documents