Data Subject Request Timelines and Penalties for Noncompliance by regulations for GDPR, CCPA, LGPD and APA
DSARs byRegulation – Timelines and Penalties for Noncompliance

Global data regulations like GDPR and CCPA require companies to provide access to the data collected on individuals by facilitating “data subject access requests” (DSARs). DSAR category types vary by jurisdiction, and empower individuals to understand and manage what information is being collected from them.

Companies need to familiarize themselves with what type of request each jurisdiction requires, the length of deadlines for response, and the financial penalties for failing to respond in a timely fashion.
A summary of DSAR information by regulation follows:

DSAR Issue CCPA (California) GDPR (Europe) LGPD (Brazil) APA (Australia)
Request rights covered under each regulation Right to notice
Right to access
Right to opt out of collection
Right to request deletion
Right to equal services and prices
Right to not sell personal information
Right to be informed
Right to access
Right to rectification
Right to erasure
Right to withdraw consent
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling
Right to be informed
Right to access
Right to rectification
Right to erasure
Right to data portability
Right to anonymize, block or delete unnecessary data
Right to disclosure of subprocessors
Right to understand consent
Right to withdraw consent
Right to be informed
Right to anonymize data
Right to access
Right to deny direct marketing
Right to rectification
Right to make a complaint
Time to respond to data subject request Respond within 45 days after receipt, potentially extendable once for another 45 or 90 days on customer notification. Respond within 30 days after receipt, but can be extended to 90 days if necessary, based on the complexity of the request. Right of access, up to 15 days. Other rights allow for a “reasonable time” for response, which for most inquiries is generally accepted as 30 days. Respond within a reasonable period after the request is made, and no longer than 30 days.
Can I charge for a DSAR? No, unless the request is manifestly unfounded or excessive. You can, but the question here is: should you? No. An organization can’t charge a fee for a request, but can charge a reasonable fee for fulfilling that request.
How often can consumers make a DSAR? Twice per year. Unlimited for requests for deletion and do not sell requests. Unlimited. Unlimited. Unlimited.
Who enforces the regulation? The California Attorney General (“AG”). The European Data Protection Board and individual country regulators. The National Data Protection Authority (“ANPD”). The Office of the Australian Information Commissioner.
How much can I be penalized? The California AG may bring action for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. Private individuals can bring action for the greater of actual damages or statutory damages ranging from $100 to $750 per incident. Administrative fines can reach EUR20 million or 4% of annual global revenue, whichever is highest. EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR. Up to 2% of total revenue in Brazil in the previous year or up to 50,000,000 Brazilian Reals (approximately $13,000,000), whichever is higher. The LGPD also lists possible daily penalties to enforce compliance. Up to the greater of: AUD $10 million, or 3x the value of the benefit obtained from misusing the information, or 10% of annual Australian revenue.

It’s very important for your company to have a full understanding of the types of DSARs individuals can make, and how those requests need to be managed. If you’re managing these DSARs via email and Microsoft Office tools, you’ll quickly find yourself unable to manage all of the DSARs in a compliant way. Clym’s system was built with an audit-ready, timestamped workflow which allows you to manage all the DSARs you receive in an efficient and cost-effective way, regardless of whether you receive 10 or 10,000.

Please contact Clym today to learn about how we can get your website compliant with these, and other, data privacy regulations today. If you’d like to see our platform in action, our team is ready for you to book a demo at your convenience.