← All guides

After Sending Your GDPR Request

The one-month timeline

Under Article 12 GDPR, an organisation must respond within one month of receiving your request. The clock starts from the day they receive it — not the day you sent it.

They can extend this deadline by a further two months for requests that are complex or numerous — but they must notify you of the extension within the first month and explain why. If they extend without telling you, that is itself a violation.

What a valid response looks like

A proper response to a subject access request should include:

• Confirmation of whether they process your personal data
• A copy of the personal data itself
• The purposes for which it is processed
• The categories of data held
• Who the data has been or will be shared with
• How long they intend to keep it
• Information about your other rights (rectification, erasure, restriction, objection)
• The right to lodge a complaint with a supervisory authority

What if they don't respond?

If you receive no response after one month (or three months if they extended), you have two options:

1. Lodge a complaint with your national data protection authority. This is free and the authority can investigate and enforce compliance. See our supervisory authority guide for links to each country's authority.
2. Seek a court order requiring the organisation to comply. This route is more involved and may require legal advice, but is an option where the DPA is slow to act.

What if they refuse?

An organisation can only refuse a subject access request in limited circumstances — for example if:

• The request is manifestly unfounded or excessive
• Providing the data would adversely affect the rights of others (e.g. revealing a third party's personal data)
• A specific legal exemption applies (e.g. data held for prevention of crime)

If they refuse, they must tell you why, inform you of your right to complain to a supervisory authority, and inform you of your right to seek a judicial remedy. A refusal without explanation is itself a GDPR violation.

Can they charge a fee?

No, in most cases. Subject access requests must be fulfilled free of charge. The only exceptions are if a request is manifestly unfounded or excessive, or if you request further copies of data you have already received — in which case a reasonable administrative fee can be charged.

Keep a record

Always keep a copy of your request and note the date you sent it. If you sent it by email, keep the sent copy. If you sent it by post, use recorded delivery. This evidence matters if you later need to make a complaint.