For Individuals Only

This website is designed for individual consumers to understand their rights and track their own SAR and FOI requests.

It is not intended for commercial use by organisations, companies, or professionals managing requests on behalf of others.

Back

SAR Deadlines Guide

Time limits for Subject Access Requests explained

Based on ICO GUIDANCE and UK GDPR Article 12. This guide explains how deadlines work, when they can be extended, and what stops the clock.

Important note from the ICO:

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen. [Source: ICO]

1 Month
Standard Deadline
3 Months
Extended Deadline
Calendar Months
Not working days
Clock Pauses
For ID/clarification

What Are the Time Limits?

Standard Time Limit

If you exercise any of your rights under data protection law, the organisation you're dealing with must respond as quickly as possible. This must be no later than one calendar month, starting from the day they receive the request.

If the organisation needs something from you to be able to deal with your request (eg ID documents), the time limit will begin once they have received this.

Extended Time Limit

If your request is complex or you make more than one, the response time may be a maximum of three calendar months, starting from the day of receipt.

Valid reasons for extension include:

Complex request: Large volumes of data, legacy systems, heavy redaction needed
Numerous requests: Multiple requests from you in a short time
Important: They MUST tell you within one month if an extension applies, and explain why.

What is a Calendar Month?

A calendar month starts on the day the organisation receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month.

Example: An organisation receives a request on 3 September. The time limit starts from the same day. This gives the organisation until 3 October to comply with the request.

When the End Date Falls on a Non-Working Day

If the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day.

Example: An organisation receives a request on 25 November. The time limit starts from the same day. The corresponding calendar date is 25 December, but 25 December and 26 December are bank holidays. So the organisation would therefore have until the next working day, 27 December if that was a week day.

When the Date Doesn't Exist

If the corresponding calendar date does not exist because the following month has fewer days, the deadline is the last day of the month.

Example: An organisation receives a request on 31st March. The time limit starts from the same day. As there is no equivalent date in April, the organisation has until 30th April to comply with the request.
However: If 30th April falls on a weekend or public holiday, the calendar month ends the next working day.

When Does the Clock Start?

Email Requests

The clock starts on the day of sending (the organisation is deemed to have received it immediately). Keep a copy in your sent folder as proof.

Postal Requests

The clock starts on the day of delivery. Keep proof of postage. If you can't prove delivery, they may claim they never received it.

When Does the Clock Stop or Pause?

ID Requests

If they ask for ID, the clock pauses until you provide it. Respond quickly to avoid delay.

Clarification

If they need clarification, the clock pauses for the part needing clarification. Respond promptly to keep your deadline intact.

Extensions – When Can They Delay?

Organisations can extend the deadline by up to 2 months (total 3 months) but ONLY for specific reasons:

Valid Reasons

Complex request Large volumes, legacy systems, heavy redaction needed
Numerous requests Multiple requests from you in a short time

NOT Valid Reasons

"We're too busy"
"Staff shortages"
"IT issues"
Remember: They MUST tell you within one month if they need an extension and explain why.

SAR Deadlines at a Glance

Standard response:

1 Calendar Month

Extended response:

3 Calendar Months

The clock starts the day they receive your request

The clock pauses if they ask for ID or clarification

They must tell you within one month if extending

Sources:

Last reviewed: March 2026. This guidance is based on current ICO guidance and may be subject to change following the Data (Use and Access) Act 2025.

Back to Resources Hub