Receiving a data subject rights request is one of the moments when compliance with Regulation (EU) 2016/679 (GDPR) becomes most visible and urgent for any organisation. The data subject expects a response; the regulation imposes deadlines; and the Agencia Española de Protección de Datos (AEPD — Spain's data protection authority) investigates when those deadlines are not met. This article analyses, provision by provision, the time-limit framework under the GDPR: how the clock is calculated, when an extension is permissible, and what consequences follow from silence or delay.
The rights that trigger the Article 12 time limit
The GDPR recognises a set of individual rights commonly grouped under the label ARCO+: access (art. 15), rectification (art. 16), erasure or the “right to be forgotten” (art. 17), restriction of processing (art. 18), data portability (art. 20), objection (art. 21), and the right not to be subject to solely automated decisions (art. 22). All of them fall within the scope of Article 12 GDPR, which establishes the general framework for transparency and communication with data subjects.
Ley Orgánica 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD) supplements this framework in Spain, particularly in its arts. 12 to 18, without modifying the time limits set by the European Regulation. It is worth clarifying that the repealed Ley Orgánica 15/1999 (the former LOPD) is no longer in force; any reference to the current “LOPD” actually refers to the LOPDGDD.
If your organisation receives rights requests and needs support to manage them correctly, Summum Consultoría offers a dedicated data subject rights management service tailored to the size and sector of each business, with offices in Castilla y León and the Canary Islands.
The one-month time limit: what Article 12.3 GDPR actually says
Article 12.3 GDPR provides as follows:
"The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request."
Three elements of this text deserve particular attention:
- "Provide information on action taken": the obligation is not merely to reply; it is to provide information about the steps actually taken. If the controller considers the request unfounded, it must communicate this with reasons; if it complies, it must inform the data subject of which data have been rectified, erased, or disclosed.
- "In any event": the time limit is mandatory. Unjustified delays are not admissible, even if the organisation is still internally assessing the request.
- "Of receipt of the request": the dies a quo (the start date of the clock) is the date of receipt, not the date on which the controller internally opens or processes the communication.
Exact calculation of the one-month time limit
The Regulation refers to "months" in the calendar sense, following Article 3 of Regulation (EC, Euratom) 1182/71, which governs time limits in EU law. A month is counted from date to date: if the request is received on 10 January, the deadline falls on 10 February.
Where the expiry month does not contain the equivalent day (for example, a request received on 31 January would expire on 28 or 29 February), the deadline falls on the last day of that month. If the expiry day is a public holiday or non-working day, the GDPR does not provide for automatic suspension: the response must be ready on or before that day. The AEPD applies this criterion strictly.
In practice, organisations must record the exact date of receipt of each request and set internal alerts with enough lead time to review, process, and send the response before the deadline. The countdown begins from the moment the request reaches the designated channel — whether a web form, an email address, or a paper communication.
The two-month extension: when and how to apply it
The second subparagraph of Article 12.3 GDPR provides for an exceptional extension:
"That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay."
The extension is neither automatic nor discretionary. It requires objective reasons of complexity or volume. The AEPD takes the view that the organisation's ordinary workload does not justify an extension; there must be circumstances that make it reasonably impossible to give a complete response within one month. Admissible examples include:
- Requests affecting a large number of files or processing systems.
- Portability rights involving data volumes that require complex technical processing.
- A high number of simultaneous requests that exceeds the organisation's usual handling capacity.
What does not justify an extension: not knowing what data the organisation holds, not having implemented an internal procedure, or the responsible staff being absent on holiday.
Notification of the extension to the data subject must be given within the first month, before the ordinary deadline expires. If the controller fails to notify the extension within that period, the extension has no legal effect and the breach of the original one-month limit is established.
Comparison table: time limits under Article 12 GDPR
| Scenario | Time limit | Additional obligation |
|---|---|---|
| Standard response to any ARCO+ right | 1 month from receipt | None, other than providing complete information |
| Extension on grounds of complexity or volume | 3 months from receipt (1 month + 2 additional months) | Notify the data subject of the extension and the reasons within the first month |
| Manifestly unfounded or excessive request | At the controller's discretion, within the 1-month period | Communicate the refusal with reasons or charge a reasonable fee (art. 12.5 GDPR) |
| Inability to identify the requester | Time limit suspended until additional identification information is received | Request the necessary information from the data subject without undue delay (art. 12.6 GDPR) |
Silence by the controller: what it means and what it opens
The GDPR does not expressly incorporate the concept of "administrative silence" as found in Spanish administrative procedure law, but the practical consequence of a controller's silence is clear: the data subject may lodge a complaint with the supervisory authority for failure to respond in time. The AEPD treats silence as a breach of Article 12.3 GDPR, capable of giving rise to enforcement proceedings.
Two situations should be distinguished:
- Silence within the first month without having notified an extension: the breach is direct. The data subject may file a complaint with the AEPD the day after the deadline expires.
- A timely but incomplete or evasive response: this may also give rise to a complaint, since Article 12.3 requires the controller to provide "information on action taken", not a formal response that is empty of substance.
The burden of proof lies with the controller. Article 12.2 GDPR establishes that if the controller decides not to act on a request, it must communicate this to the data subject without delay and at the latest within one month, informing the data subject of the right to lodge a complaint with a supervisory authority. If the controller cannot prove it complied, non-compliance is presumed.
Complaint before the AEPD: procedure and time frames
Article 77 GDPR grants data subjects the right to lodge a complaint with a supervisory authority. In Spain, the admissibility and resolution of complaints before the AEPD are governed by arts. 63 to 65 LOPDGDD, and the AEPD's supervisory and sanctioning powers are conferred by art. 47 LOPDGDD. The procedure for filing a complaint with the AEPD consists of the following steps:
- Prior request to the controller: while not legally required, the AEPD recommends that the data subject first direct their request to the controller and await a response. If the organisation does not reply in time or the response is unsatisfactory, a complaint to the Agency is appropriate.
- Filing the complaint: this is done through the AEPD's electronic portal, using the dedicated rights-complaint procedure. The data subject must provide a copy of the original request, proof of its submission, and the response received (or evidence of the absence of a response).
- Admissibility decision: the AEPD has a set period to admit or reject the complaint. If admitted, it will forward the complaint to the controller for submissions.
- Decision: the AEPD issues a decision upholding or dismissing the complaint. If it finds an infringement, it may open enforcement proceedings of its own motion.
If your organisation has received a communication from the AEPD in connection with a rights complaint, the Summum Consultoría team can assist you in preparing submissions and reviewing internal procedures. See our data subject rights management service for more information.
Consequences of non-compliance: the sanctions framework
Failure to comply with the obligations under Article 12 GDPR may be classified as an infringement pursuant to Article 83 of the Regulation. The classification depends on severity:
- Article 83.5 GDPR: infringement of data subjects' rights (arts. 12 to 22 GDPR) is a serious infringement, subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
- Article 83.4 GDPR: infringement of transparency or procedural obligations (for example, failing to notify an extension in time) may fall within the lower tier, subject to fines of up to EUR 10,000,000 or 2% of total worldwide annual turnover.
The LOPDGDD (LO 3/2018) adapts this framework in its arts. 70 to 74, classifying infringements as very serious, serious, and minor, with specific rules for public authorities. The AEPD takes aggravating and mitigating circumstances into account when determining the specific sanction: intent, number of data subjects affected, measures taken to mitigate the damage, cooperation with the Agency, and history of prior infringements.
Best practices for managing rights requests on time
Meeting the deadline under Article 12.3 GDPR does not depend solely on knowing the rule; it depends on having implemented a reliable internal process. Organisations we work with in Castilla y León and the Canary Islands typically benefit from the following measures:
- A single, monitored channel: designating a dedicated email address or web form for rights requests, with an automatic alert to the privacy officer when a new request arrives.
- A request register: maintaining a log with the date of receipt, the type of right exercised, the verified identity of the requester, the steps taken, and the date of response.
- Pre-approved response templates: having draft responses for each type of right, tailored to the categories of data processed by the organisation, reduces the risk of a late or incomplete response.
- Staff training: anyone who may receive a rights request — reception staff, customer service, human resources — must know who to escalate it to and within what timeframe.
- Regular procedure review: requests arriving through unofficial channels (by post, in person, by telephone) also start the clock; the procedure must account for them.
Frequently asked questions
Does the one-month period run even if the request arrives through an unofficial channel?
Yes. Article 12.3 GDPR does not require the request to arrive through a specific channel for the time limit to start running. If the data subject submits their request by ordinary post, by email to a generic address, or even verbally to an employee, the clock starts from the moment the organisation becomes aware of the request. The controller may, however, ask the data subject for additional information to verify their identity (art. 12.6 GDPR), which suspends the time limit until that information is received — but only where there are reasonable doubts about the requester's identity.
Can the controller charge a fee for handling the request?
As a general rule, no. Article 12.5 GDPR provides that information and communications arising from arts. 15 to 22 shall be provided free of charge. Only where requests are "manifestly unfounded or excessive, in particular because of their repetitive character" may the controller charge a reasonable fee that takes into account the administrative costs of providing the information, or refuse to act. In both cases, the controller must demonstrate the manifestly unfounded or excessive nature of the request.
What happens if the controller responds by refusing the rights request?
The controller may refuse a rights request where the exceptions provided for in the GDPR apply (for example, where the processing is necessary to comply with a legal obligation, or where the data are necessary for the establishment, exercise, or defence of legal claims). In that case, the controller must communicate the reasoned refusal to the data subject within the one-month period and inform them of their right to lodge a complaint with the AEPD and to seek judicial remedies. A refusal without reasons, or given out of time, is treated in the same way as silence.
Can the data subject complain directly to the AEPD without waiting for the controller to respond?
Article 77 GDPR grants the right to lodge a complaint with a supervisory authority. In Spain, the AEPD admits complaints under arts. 63 to 65 LOPDGDD once the one-month period laid down in Article 12.3 GDPR has elapsed without a response, or where the response received is unsatisfactory. In practice, the AEPD recommends that the data subject have previously attempted to exercise the right directly before the controller and be able to demonstrate this, but it is not a statutory admissibility requirement. The Agency may decline to admit complaints where there is no evidence that the data subject even attempted to make the request, although this is exceptional.