Deadlines & Extensions

GDPR requires timely responses to data subject requests. SAR Portal helps you track and manage deadlines to maintain compliance.

The 30-Day Rule

Under GDPR Article 12, you must respond to requests “without undue delay and in any event within one month of receipt.”

How SAR Portal Calculates Deadlines

Clock starts when the case is created
Due date is set to 30 calendar days from creation
Weekends and holidays count toward the deadline
If the deadline falls on a weekend/holiday, the last working day before is used

Important

If you receive a request via email and create the case later, the legal deadline technically starts from when you received the request, not when you created the case. Create cases promptly!

Deadline Tracking Features

Dashboard Indicators

The dashboard shows:

Overdue Cases - Past deadline (red)
Due This Week - Approaching deadline (yellow)
Days Remaining - Countdown on each case

Case List View

Each case displays:

Due date
Days remaining badge
Color-coded urgency indicators

Email Notifications

Configure reminders at:

7 days before deadline
3 days before deadline
1 day before deadline
On the deadline
When overdue

Extending Deadlines

GDPR Article 12(3) allows extensions for complex requests.

When You Can Extend

Complex requests requiring more time
High volume of requests from the same person
Requests involving large amounts of data
Requests requiring coordination with third parties

Extension Limits

Maximum extension: 2 additional months (60 days)
Total maximum time: 3 months (90 days)
Must notify subject within original 30 days

How to Extend

Open the case
Click More Actions > Extend Deadline
Select extension duration
Enter the reason for extension
Confirm the extension

The system will:

Update the due date
Change status to “Extended”
Log the extension in the audit trail
Optionally notify the subject

What to Tell the Subject

When extending, inform the subject of:

The extension and new deadline
Reasons for the extension
Their right to complain to a supervisory authority

Example notification:

“Due to the complexity of your request and the volume of data involved, we require additional time to process it fully. In accordance with GDPR Article 12(3), we are extending the response deadline by [X] days. You should receive our complete response by [new date]. If you have concerns about this extension, you have the right to lodge a complaint with your local data protection authority.”

Pausing the Clock

In some situations, the deadline clock may pause:

When Awaiting Information

If you’ve requested identity verification or clarification from the subject, some jurisdictions allow pausing the clock until they respond.

Jurisdiction Matters

Clock-pausing rules vary by EU member state. Check your local data protection authority's guidance. SAR Portal tracks "Awaiting Information" status but doesn't automatically pause deadline calculations.

What Counts as Pausing

Formal written request for clarification
Identity verification request
Request for additional details to locate data

Documenting Pauses

Always document:

Date you requested information
What you requested
Date subject responded
Adjusted deadline calculation

Missing Deadlines

If you miss a deadline:

Immediate Actions

Respond as quickly as possible
Apologize for the delay
Explain the reason
Complete the request fully

Risks of Missing Deadlines

Subject complaints to supervisory authority
Regulatory investigation
Potential fines
Reputational damage

Prevention Strategies

Set up deadline notifications
Review dashboard daily
Prioritize approaching deadlines
Extend early if needed

Best Practices

Create Cases Immediately

Don’t wait to create a case when you receive a request. The legal clock starts at receipt, not case creation.

Monitor the Dashboard

Make checking the dashboard part of your daily routine. Address approaching deadlines proactively.

Extend Early, Not Late

If you suspect a request will be complex:

Extend within the first week
Notify the subject promptly
Document your reasoning

Document Everything

Keep records of:

When requests were received
Any delays in creating cases
Reasons for extensions
Communications with subjects

Use Notifications

Configure email notifications to alert the right people:

Case creators
Team managers
Compliance officers

Deadline Calculator

Scenario	Deadline
Standard request	30 days from receipt
Extended (1 month)	60 days from receipt
Extended (2 months)	90 days from receipt
Awaiting info (if clock paused)	30 days from response

Remember: These are maximum times. GDPR says respond “without undue delay” - faster is always better.