Data controllers must respond to such requests within one month of receipt of the request, although this one-month time frame can be extended by up to two further months if, for example, the request is complex (Article 12(3) of the General Data Protection Regulation (GDPR)). However, if the data controller requires this two-month extension of time to fulfil the subject access request, they must inform the individual that an extension of time is required, giving reasons for the delay before the expiry of the initial one-month period.  The data controller does not need the permission of the individual or of the Data Protection Commission (DPC) for this extension of time.