DSAR Deadline Calculator.
Pick the regulation and the date the request was received. Get the response deadline, the article citation, and the days remaining — with the extension rules where they apply.
1. Tell us about the request
All fields are required. Nothing leaves your browser — this calculator runs entirely client-side.
The clock starts on the day after you receive the request under GDPR & UK GDPR; the same day under CCPA / CPRA. We handle this for you.
Pick the regulation that applies to the data subject's residency — not where you process the data.
Built by Privacy Automated — a privacy compliance platform that automates DSAR routing, DPIA drafting, and policy-grounded Q&A.
Stop tracking DSARs in spreadsheets.
Privacy Automated logs every inbound DSAR automatically, classifies it (deletion / access / portability / opt-out / rectification), starts the identity-verification flow, and fans it out to your configured department contacts — with a live deadline countdown on every request.
Response deadlines at a glance
EU GDPR
1 month from the day after receipt; extendable by +2 months for complex or numerous requests, with notice to the data subject within the first month.
Art. 12(3)
UK GDPR & DPA 2018
1 month from receipt (the ICO interprets "1 month" as the corresponding calendar date next month). Extendable by +2 months for complex requests.
UK GDPR Art. 12(3) · DPA 2018 s.45
CCPA / CPRA (California)
45 days from receipt of a verifiable consumer request. Extendable once by +45 days with notice within the first 45.
Cal. Civ. Code § 1798.130(a)(2)
PIPEDA (Canada)
30 days from receipt (the OPC interprets this as the soft maximum). Extension of up to +30 days permitted in defined circumstances with written notice.
PIPEDA Principle 4.9.4 · s.8(3)
Quebec Law 25
30 days from receipt. No statutory extension — the deadline is firm.
An Act respecting the protection of personal information in the private sector, s.34
Virginia VCDPA / Colorado CPA / Connecticut CTDPA
45 days from receipt of an authenticated request. Extendable once by +45 days when reasonably necessary, with notice.
VA Code § 59.1-577(B) · C.R.S. 6-1-1306(2) · CTDPA § 4(c)
Frequently asked questions
When does the clock actually start?
Under GDPR and UK GDPR, the response period begins the day after you receive the request — this calculator handles that offset automatically. Under CCPA / CPRA and most U.S. state laws, the count starts on the day of receipt. Under PIPEDA, the OPC has been pragmatic about either reading.
What counts as "complex or numerous" for the GDPR extension?
The EDPB's guidance gives examples: requests requiring data from multiple systems, requests where the data subject hasn't sufficiently identified themselves, or a high volume of requests from one individual. You must notify the data subject of the extension and the reason for it within the first month.
Does the deadline pause for holidays or weekends?
No — all the regulations covered here use calendar days, not business days. The deadline falls on whatever date it lands on, weekend or holiday. (Some companies issue responses one business day early to avoid weekend slippage; that's an internal choice, not a legal requirement.)
What if I can't verify the data subject's identity?
The clock keeps running while you work in good faith to verify. Document every verification attempt with timestamps. If you ultimately cannot verify identity (or the request is manifestly unfounded), you may refuse the request — but you must respond within the deadline explaining why.
What's a "verifiable consumer request" under CCPA?
CCPA / CPRA requires you to verify, to a reasonable degree of certainty, that the requester is the consumer whose data is at issue. The level of verification scales with the sensitivity of the data and the type of request — deletion of sensitive personal information demands more verification than a basic categories-of-data request.
Why isn't my state listed?
Most newer U.S. state privacy laws (Utah UCPA, Tennessee TIPA, Texas TDPSA, Oregon OCPA, etc.) follow the 45-day-plus-45-day-extension pattern set by Virginia. If your state isn't in the dropdown, use "Virginia VCDPA" as a safe proxy and verify against the local statute.
Is this calculator legal advice?
No. This is a starting point keyed to the most common statutory deadlines, not a substitute for advice from privacy counsel for your specific facts. The article citations above link to the source rules so you can verify the math yourself.