Skip to content

Subject Access Request: How Long To Respond?

Paige Harris Feb 23, 2022 10:33:14 AM

It's well worth the effort to have a structured data subject access process flow in place because one of the many subject access request requirements of the European Union’s General Data Protection Regulation (GDPR) mandates that you respond to a request within 30 days of receiving it.

Responding to a data subject access request can take some time, and the 30-day deadline includes the date you receive the request, whether that's:

  • A formal written request.
  • A request via short message service or social media.
  • A verbal request.

This guide will explain various subject access request (SAR) situations, the rules for dealing with them, and how much time you have to respond.


What Are The SAR Response Deadlines?

The standard rule is you have 30-days to reply to a SAR. But what happens if you receive a SAR on the weekend or during a public holiday? 

In these cases, you shift the date of receipt to the next working day, and the deadline is the month after that.

If you fail to respond within the 30-day GDPR timeframe, you are subject to fines of up to four percent of your yearly global revenue–up to $22.55 million!


Can I Extend the 30-Day SAR Response Deadline?

In some cases, you can extend the SAR response for up to a maximum of two extra months (for three months total).

The guidance for extensions is quite vague but they are allowed if:

  • The SAR is particularly complex, and you cannot realistically respond in 30 days.
  • You receive many requests from the same individual.

You need to inform the requester of the extension without delay. And it's best to be cautious when explaining why you need the extension and how the situation falls within the allowed circumstances.

CTA General Privacy Graphic (1)What Can I Do If I Don't Understand A SAR?

It's possible to go back to the person making the SAR and ask for more details.

If your business processes a large amount of data, it might mean that you need to impose an extension and explain that you would be able to reply in the typical 30 days if they can provide more details.

You can reply to an unclear SAR and ask:

  • What information would they like?
  • Which processing activities relate to the request?
  • For clarity about any part of the request you don't understand.

Once you've sent the appeal for more detail, the timeline freezes until you receive a reply, although you should still provide any information you can within one month.


How Should I Respond To A SAR?

Individuals are entitled to receive a copy of all the personal data you have on them. As we mentioned earlier, you can receive a SAR via email, paper, phone call or in person. These are all valid requests.

The rule of thumb is that you should reply to all requests in the same manner you received it. 

  • Electronic requests should be replied to in the same way unless the person has requested otherwise.
  • Verbal requests can receive a verbal response, although you must verify the person's identity before discussing the SAR.
  • Written SARs should also be answered in kind.

If you're not confident you have the tools you need to respond to SARs in 30 days, the Enzuzo data request platform is the answer to this problem.

With the platform, you can create data subject access request templates so customers can send requests through a built-in form, verify their identity, get automatic deadline reminders, and receive a compliance report that you can keep on file when the process finishes. SAR responses made easy! 

Leave a Comment