Skip to content
DSARTracker
← Back to Guides

Subject Access Request Time Limit UK: Deadlines, Extensions, and the DUAA 2025 Stop-the-Clock Rule

Published 24 February 2026 · Last reviewed 10 March 2026

You have one calendar month to respond to a subject access request. Miss it, and the requester can complain to the ICO — where SAR complaints rose 23% year-on-year to over 16,000 in a single reporting period, according to the ICO's annual report.

This guide breaks down exactly how the deadline works, when you can extend it, and how the new stop-the-clock rule under the Data (Use and Access) Act 2025 changes the calculation.

This guide covers UK SAR time limits under UK GDPR and the Data Protection Act 2018, as amended by the DUAA 2025. It is not legal advice.

The basic rule: one calendar month

Under UK GDPR Article 12(3), you must respond to a SAR "without undue delay" and within one calendar month of receipt.

The clock starts on the day you receive the request — not when you acknowledge it, assign it, or start searching. If any employee in your organisation receives the request, it counts.

How to calculate the deadline:

  • SAR received 15 March → deadline 15 April
  • SAR received 31 January → deadline 28 February (or 29 in a leap year — the last day of the month)
  • If the deadline falls on a weekend or bank holiday, it moves to the next working day

Use the SAR deadline calculator to work out your exact deadline automatically.

The DUAA 2025 stop-the-clock rule

The Data (Use and Access) Act 2025, section 76 — in force since 5 February 2026 — introduces a stop-the-clock mechanism that fundamentally changes how SAR deadlines work.

When the clock pauses

The response period does not start until you receive:

  1. Identity verification. If you request proof of identity from the requester, the clock does not start until they provide it. Previously, the one-month period ran from receipt of the SAR regardless of whether you had verified the requester's identity.

  2. Clarification of a broad request. If a request is too vague to action — "send me everything" with no indication of time period or data category — you can ask the requester to narrow it down. The time between your clarification request and their response does not count toward the deadline.

How this works in practice

Example: A SAR arrives on 1 March. You request ID verification on 2 March. The requester provides their passport on 12 March. Your one-month clock starts on 12 March, giving you until 12 April to respond.

Example: A SAR arrives on 1 March asking for "all my data." You ask for clarification on 3 March — which systems, which time period? They respond on 20 March specifying "HR records and emails from 2024-2025." Your clock starts on 20 March, giving you until 20 April.

Key requirement: Your request for verification or clarification must be genuine and reasonable. The ICO will not accept stop-the-clock being used as a delaying tactic. If you ask for ID for a current employee whose identity you can already verify from payroll records, that is not a genuine need.

What to document

Log the exact dates:

  • Date SAR received
  • Date you requested verification/clarification
  • Date verification/clarification was received
  • Calculated deadline (one month from the later date)

This timeline is your evidence that the clock was legitimately paused.

When you can extend by two months

Separately from the stop-the-clock mechanism, UK GDPR Article 12(3) allows a two-month extension if:

  • The request is complex (large volumes of data across multiple systems, difficult exemption decisions)
  • You receive multiple requests from the same individual at the same time

You must tell the requester within the first calendar month that you are extending and explain why. Failing to notify is itself a breach — even if you ultimately respond within the extended deadline.

The extension adds two months to the original one-month deadline, giving you three months total from the start of the applicable period.

When does complex mean complex? The ICO's right of access guidance gives examples: the request covers data held across multiple systems with no central search, the data involves numerous third parties requiring redaction decisions, or the data requires careful exemption assessment (legal privilege in tribunal cases, for instance).

Routine requests — even if they involve a large volume of straightforward data — are not automatically complex enough to justify an extension.

For a step-by-step guide to the full SAR response process, see How to Respond to a Subject Access Request from an Employee. If your request involves exemptions, see SAR Exemptions Explained. For an overview of tools that help track SAR deadlines across multiple requests, see DSAR Software for Small Businesses.

Stop-the-clock vs. extension: which applies?

These are two separate mechanisms and they can apply in sequence:

Mechanism When it applies Effect on deadline Notification required?
Stop-the-clock (DUAA 2025 s.76) You need identity verification or clarification Clock pauses until you receive it No specific notification — but you must request the information promptly
2-month extension (UK GDPR Art. 12(3)) Request is complex or multiple requests received Adds 2 months to the response period Yes — must notify within the first month with reasons

Combined example: SAR received 1 March. ID requested 2 March, received 15 March (clock starts). The request covers 6 systems and involves tribunal-related legal privilege assessments — genuinely complex. You notify the requester on 10 April that you are extending by 2 months. New deadline: 15 May + 2 months = 15 July.

What happens if you miss the deadline

The consequences escalate:

ICO complaint. The requester complains to the ICO. The ICO asks you to demonstrate that your search was reasonable and that your response was sent within the deadline (or that a valid extension was notified). If you cannot demonstrate this, the ICO can issue:

  • An assessment notice requiring you to take specific corrective action
  • A reprimand — a formal finding of non-compliance published on the ICO's website
  • An enforcement notice requiring you to respond within a specified period
  • A penalty notice — fines up to £17.5 million or 4% of annual global turnover (whichever is higher)

Employment tribunal impact. In tribunal proceedings, a late or incomplete SAR response can damage your credibility. Tribunals may draw adverse inferences from delays — particularly if the data withheld is relevant to the case.

Practical reality for SMEs: The ICO's enforcement action typically starts with reprimands and enforcement notices rather than maximum fines. But the reputational damage, management time spent responding to ICO investigations, and potential tribunal consequences make deadline compliance a business-critical issue.

Frequently asked questions

Does the one-month deadline include weekends and bank holidays? Yes — it is one calendar month, counting all days. Only the final day shifts: if the deadline falls on a weekend or bank holiday, it extends to the next working day.

Can you extend the deadline without telling the requester? No. You must notify the requester within the first month and explain why the extension is necessary. A silent extension is a breach of Article 12(3) even if you respond within the extended period.

What if the requester never responds to your clarification request? Under the DUAA 2025 stop-the-clock provision, the clock remains paused until clarification is received. If the requester abandons the request, you should follow up at a reasonable interval and document your attempts.

Does the stop-the-clock rule apply to SARs received before 5 February 2026? The DUAA 2025 provisions apply to requests handled after the commencement date. SARs received before 5 February 2026 but still being processed after that date should be handled under the new rules for the remaining response period. Seek legal advice if the timing is ambiguous.

Can the requester complain to the ICO before the deadline has passed? The ICO will generally wait until the deadline expires before assessing a complaint about response time. However, if you have neither responded nor communicated about an extension, the ICO may contact you to remind you of your obligations.

Deadline checklist

Before your SAR deadline arrives, confirm:

  • The SAR receipt date and deadline are logged with an audit trail
  • Any stop-the-clock periods (ID verification, clarification) are documented with exact dates
  • If extending by 2 months, the requester was notified within the first month with reasons
  • The response was dispatched before the deadline (keep proof of dispatch)
  • If the deadline was missed, an explanation is documented for any ICO inquiry

Sources

Handle your next SAR step by step

dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.

No spam. Unsubscribe any time. Privacy policy

Related guides

Subject Access Request Policy Template: How to Create Your Internal SAR Process

How to create an internal SAR policy for UK employers — who handles requests, response steps, escalation rules, and a practical template to adapt.

Subject Access Request Response Letter: How to Write It Step by Step

How to write a SAR response letter step by step — what to include, how to structure it, and sample formats for straightforward and complex employer responses.

What Is a DSAR? A Plain-English Guide for UK Employers

What a DSAR means for UK employers — how to recognise one, what you must do in the first 24 hours, and the practical steps to respond without missing the deadline.