All Articles

DSARs Explained: Data Subject Access Request Timelines

Lulu Mejer
Founding Operations Manager
August 29, 2025
Pattern

When an individual submits a Data Subject Access Request (DSAR), your company's timer starts! Completing a DSAR in a timely fashion is an essential part of ensuring individuals’ rights are upheld. Hitting DSAR deadlines isn’t just about avoiding fines, it’s about building trust. A well done DSAR shows customers and regulators you’re serious about privacy. 

This guide covers the timelines associated with GDPR and CCPA/CPRA regulations. You will learn about when you need to take action, get examples of what qualifies for  an extension or pause, and consequences for missing deadlines. 

DSAR Timelines (GDPR vs. CCPA/CPRA)

Notes & Fine Print & Tips

  • GDPR compliance start date math: 
    • “One month” follows calendar logic (e.g., Aug 31 → Sep 30). Use a 28-day internal SLA if you want a safe buffer
    • The clock starts the day after the received, (e.g. if the request comes in on Aug 27 the clock starts Aug 28)
    • In the UK, misuse of “stop-the-clock” may trigger complaints or penalties
  • CPRA Opt Out Requests:
    • CPRA allows individuals to opt-out of sale/sharing and limit the use of sensitive personal information
    • For opt-out requests, you need to act even faster, within 15 days of receipt and there is no option for extension
  • Tip: Put acknowledgements on autopilot 
    • Create a template that tells people what you’ll do, how you’ll verify their identification and when they can expect to hear back

What counts as “complexity” or “reasonably necessary”? 

While extensions are permissible, it is best to use extensions as sparingly as possible and you must always have documented reasons for the request. 

GDPR (EU/UK)

  • Examples of “complexity or number of requests” 
    • High volume and or / highly dispersed data - large quantities of data across many systems, legacy archives or third‑party processors.
    • Heavy redaction required to protect other people’s data, trade secrets or privileged material that require a rigorous line‑by‑line review.
    • Multiple concurrent DSARs from the same person or a temporary surge of requests from multiple people
    • Cross-border collections or third-party data processors that require coordination
    • Ambiguous or over‑broad scope needing clarification

CCPA/CPRA

  • The regulation doesn’t define what is “reasonably necessary,” but here are a few practical examples:
    • Broad scope - big multi-year data pulls across archives + systems
    • Lengthy coordination with vendors and service providers needed to honor downstream deletion + correction

What if you miss the deadline?

Missed or ignored DSAR deadlines are a common pain point. Authorities may issue warnings, reprimands, enforcement notices or fines for failing to meet deadlines. When determining the penalty, regulators weigh the nature and scope of the issue, risks, your cooperation, prior history and any remediation already underway. 

GDPR (EU/UK)

  • Fines: The fine will depend on the gravity of the failure to comply, 
    • Lower end of fines will be €10M or 2% of global annual turnover (whichever is higher) 
    • Higher end of fines will be €20M or 4% of global annual turnover (whichever is higher) 
  • Corrective orders including: 
    • Issuing warnings and reprimands
    • Mandatory audits
    • System overhauls
    • Banning the organization from processing personal data (in extreme cases)

CCPA/CPRA

  • Fines:  penalties for non-compliance are based on intent
    • $2,500 per unintentional violation.
    •  CCPA regulations may face fines of up to $7,500 per intentional violation (and for minors’ data)

When you can (or must) refuse a DSAR

There are a few legitimate reasons to refuse a DSAR (wholly or partly). When you deny a DSAR, be courteous, concise, and practical. It is best to avoid legalese and include information about what would change the outcome

GDPR

  • The request is manifestly unfounded - the individual clearly has no intention to exercise their right of access properly (e.g. to gain a benefit from your organization)
  • The request is maliciously intended and/or is being used to harass or cause disruption
  • Disclosure would adversely affect the rights and freedoms of others
  • You cannot identify the requester
  • If you deny the DSAR, you must write back to the request within 1 month of receipt to explain why you are denying it and notifying the individual of their right to complain to a supervisory authority or pursue legal action

GDPR UK

The UK follows the same guidance as the EU with the additional criteria below

  • The request is manifestly excessive, it should be proportionate when balanced with the burden or costs involved in dealing with the request. This cannot just due to a large amount of documents, there should be additional context that makes it excessive

CCPA/CPRA

  • You cannot verify the requester within 45 days 
  • A statutory exception applies ( to complete a transaction, security/anti-fraud, debugging, free expression, legal obligations, internal uses consistent with expectations).

Managing DSARs can feel overwhelming, especially as requests become more frequent and complex. To stay on track, you can consider using tools that streamline workflows and improve efficiency.

That is where Phaselaw comes in!

Phaselaw cuts document processing time for DSARs through automated deduplication, redaction and more. Phaselaw is designed to be fast and easy to use — no certifications required. Our AI-native workflows handle the most tedious parts of document review, and our clean, modern user interface is intuitive.

Sources:

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/

https://www.edpb.europa.eu/sme-data-protection-guide/respect-individuals-rights_en

https://oag.ca.gov/privacy/ccpa

Simplify your document redaction

Learn how Phaselaw can accelerate your redaction tasks.

Book a Demo