Quick note: This guide summarises common rules and links back to a calculator. Always check official ICO guidance for your specific case.
Quick answer
Under Article 12(3) of the UK GDPR and section 45 of the Data Protection Act 2018, a data controller must respond to a subject access request (SAR) without undue delay and in any event within one calendar month of receiving the request. A calendar month means the matching date in the following month — for example, a SAR received on 15 June must be answered by 15 July. The deadline can be extended by up to two further months for complex or numerous requests, but the controller must inform the requester within the first month.
How the one calendar month deadline works
The one calendar month time limit is not the same as 30 days or 4 weeks — it means the same day of the following month. Here is how to count it:
| SAR received | Deadline | Notes |
|---|---|---|
| 5 January | 5 February | Standard one calendar month |
| 31 January | 28 February (or 29 in leap year) | February has fewer days; the deadline moves to the last day |
| 15 March | 15 April | Standard |
| 30 June | 30 July | Standard |
| 1 December | 1 January (or next working day if 1 Jan is a bank holiday) | If deadline lands on weekend/bank holiday, it moves to next working day |
Worked example: SAR with ID verification delay
| Event | Date | Clock status |
|---|---|---|
| SAR received | Monday 10 March 2025 | Clock starts |
| ID requested by controller (same day) | Monday 10 March 2025 | Clock pauses |
| ID documents provided by requester | Wednesday 19 March 2025 | Clock resumes (9 days used before pause) |
| Deadline (one calendar month from receipt, less pause) | Thursday 10 April 2025 | 11–19 March clock was paused, so deadline = 10 April |
When the clock starts
The ICO’s guidance states that the one calendar month period starts on the day the SAR is received, not the day after. This is different from FOI, where the clock starts the day after receipt. However, the ICO also recognises that the clock should not run while the controller is waiting for the requester to provide reasonable identification or clarification. The clock pauses during that period.
If the deadline falls on a Saturday, Sunday, or UK bank holiday, it moves to the next working day.
Extension for complex or numerous requests
Under Article 12(3) of UK GDPR, a controller may extend the time limit by up to two further calendar months if the request is complex or if the individual has made a number of requests. The controller must:
- Inform the individual within the first calendar month that an extension is needed.
- Explain the reasons for the delay.
- Notify the individual of their right to complain to the ICO.
What counts as a valid SAR?
For the clock to start, the SAR must be valid. The ICO expects that:
- The request is made in writing (email, letter, social media, or via a web form). A verbal SAR is also valid, though controllers are advised to record it.
- The requester has provided enough information for the controller to identify them and locate their personal data.
- If the controller reasonably needs more information to verify identity or clarify what data is sought, the clock pauses until that information is provided.
Manifestly unfounded or excessive requests
Under Article 12(5) of UK GDPR, a controller can refuse to comply with a SAR if it is manifestly unfounded or excessive. However, the ICO sets a high bar for this, and the controller must be able to justify the refusal and inform the requester of their right to complain to the ICO. A request is not excessive simply because it covers a lot of data or a long period.
Step-by-step: calculating a SAR deadline
- Record the date the SAR was received. This is day zero — the clock starts on this date.
- Check whether you need ID or clarification. If yes, request it immediately and pause the clock until you receive it.
- Calculate one calendar month from receipt. If received on the 15th, the deadline is the 15th of the next month. Handle month-end edge cases carefully.
- Adjust for pauses. If the clock was paused for ID or clarification, add the pause duration to the deadline.
- Check whether the deadline falls on a weekend or bank holiday. If yes, move to the next working day.
- If you need an extension, notify the requester within the first month and record the new deadline (up to three calendar months total).
- Use a SAR deadline calculator to verify your calculation.
Key takeaways
- The SAR time limit is one calendar month (not 30 days, not 4 weeks) from receipt of a valid request.
- The clock can be extended by up to two further months if the request is complex or numerous — the requester must be told within the first month.
- The clock pauses while you wait for ID verification or clarification from the requester.
- If the deadline lands on a weekend or bank holiday, it moves to the next working day.
- Manifestly unfounded or excessive requests can be refused, but the bar is high.
- Always communicate with the requester before the deadline passes.
References
- Data Protection Act 2018, section 45 (legislation.gov.uk)
- ICO — Right of access (subject access requests)
- ICO — Time limits for responding to a SAR
Use the calculator to handle your deadline calculations quickly and accurately.
