How long a company has to respond to your data request

The one-month rule

When you send a Data Subject Access Request (DSAR) — your right of access under the UK GDPR (Article 15) — the organisation must respond without undue delay and, at the latest, within one calendar month. The ICO describes this as the standard time limit, and it applies to most access requests an individual makes.

"One calendar month" means the deadline lands on the same date in the next month. So a request received on 5 March is due by 5 April. Where there is no matching date — for example a request received on 31 January — the deadline falls on the last day of the following month. If the final day is a weekend or a public holiday, it rolls to the next working day.

"Without undue delay" matters too: one month is the outer limit, not a default waiting period. If an organisation can answer sooner, it should. This is general information, not legal advice.

When the clock starts — and when it can be paused

The time limit starts on the day the organisation receives your request, not the day it gets around to reading it. You do not have to use any special form or wording for the clock to start; a clear request for your personal data is enough, however it is sent.

There are two situations where the start can shift. If the organisation reasonably needs to confirm who you are before releasing personal data, the clock can start once it has what it needs to verify your identity. And if it asks a genuine clarifying question about a very wide request, the ICO's guidance allows the time to be paused while it waits for your reply. These should be real, proportionate steps — not a way to stall.

Because of this, it helps to make your request specific and to respond promptly to any reasonable identity check or clarification. You stay in control of how much detail you give.

• The clock starts the day your request is received.
• No special form or magic words are needed to start it.
• Verifying your identity can move the start to when verification is complete.
• A genuine clarifying question about a broad request can pause the clock until you reply.
• Identity and clarification steps must be reasonable, not a delaying tactic.

Extensions, fees, and what to do if a deadline passes

The one-month limit can be extended by up to two further months — making three months in total — but only where the request is complex or where you have made a number of requests. The organisation must tell you within the first month that it is taking longer, and explain why. It cannot simply go quiet and reappear in month three.

In most cases a DSAR is free. An organisation can only charge a reasonable fee, or refuse, where a request is manifestly unfounded or excessive — for example, repetitive — and even then it should explain its reasoning. A fee request does not, on its own, reset the clock indefinitely.

If the deadline passes with no response, no valid extension, and no explanation, you can follow up in writing and remind the organisation of the time limit. If that does not resolve it, you have the right to complain to the Information Commissioner's Office (ICO). OSINTA can help you frame and route your own request and keep track of the timeline — the system suggests, and you decide every step. This is general information, not legal advice.

Frequently asked questions

Related terms

• Data Subject Access Request (DSAR)
• GDPR (General Data Protection Regulation)
• Data controller
• Data protection regulator