South America has quietly become the world’s pressure cooker for privacy response times. Compared with the one-month norm in the EU and the 45-day baseline in California, several South American laws expect organisations to confirm or fulfil data subject requests in a matter of days. That reality changes how you staff, triage, and automate DSAR operations. Below is a practical, fact-checked playbook that compares deadlines, highlights country nuances, and shows how to operationalise DSARs at South American speed.
How South American DSAR timelines compare globally
South America’s centre of gravity is fast. Uruguay gives controllers five business days to answer access and related requests. Argentina sets ten calendar days for access and five business days for rectification or deletion. Brazil’s LGPD requires immediate confirmation and a full response within 15 days. By contrast, the EU GDPR allows one month, extendable to three for complex cases, and California’s CCPA, as amended by CPRA, allows 45 days with a possible 45-day extension. These shorter LATAM clocks materially affect intake, verification, search, and fulfilment design.
Country-by-country DSAR deadlines at a glance
Below are the core response timelines that drive your service levels in key South American jurisdictions. Read the nuance, since “consultations” versus “complaints,” calendar versus business days, and extensions or staged confirmations can alter exact obligations. Use these as SLA anchors, then tune your workflows, holiday calendars, and escalation paths per country law and regulator guidance. Where available, the citations point to the official text or recognised legal summaries.
Brazil: 15 days, with immediate confirmation under the LGPD
Brazil’s LGPD obliges controllers to confirm whether data exists “immediately” in simplified form, then provide a complete, clear statement within 15 days that includes the origin, criteria, and purpose of processing. This two-step rhythm means you need a same-day acknowledgement mechanism and a parallel path for the full disclosure. ANPD guidance and widely cited English translations align on this 15-day clock. Plan for volume by pre-building data maps, so the 15-day window covers collection across core systems plus any processor queries.
Argentina: 10 days for access, 5 business days for rectification or deletion
Argentina’s Law 25.326 sets a ten-day deadline, counted in calendar days, to provide access. For rectification, updating, or deletion, the controller must act within five business days of a verified request. The Agency for Access to Public Information (AAIP) reiterates the five-day rectification or deletion rule. Ensure your templates and queues separate access from correction or deletion, since the shorter five-day SLA often becomes the pacing item. Argentina is also moving toward an updated regime, yet the legacy timelines remain in force until reform is enacted.
Colombia: 10 business days for consultations, 15 business days for complaints
Under Law 1581 of 2012 and Decree 1377 of 2013, “consultations” must be answered within 10 business days. “Claims” for rectification, updating, or deletion are due within 15 business days, with a one-time extension available when properly noticed. Distinguish these pathways in your intake, since routing a request as a consultation versus a claim changes the SLA. The Superintendence of Industry and Commerce enforces these timelines, so log delays, notices, and evidence are meticulously maintained.
Uruguay: 5 business days to respond
Uruguay’s Law 18.331 and regulator guidance set a five-business-day response period, among the shortest worldwide. This compressed window rewards teams that maintain ready-to-query data inventories and that can package disclosures with minimal manual assembly. Expect enforcement oriented around whether you provide timely, comprehensive answers, and whether you document any refusal or limitation properly. Build clear weekend and holiday handling in your calendars to avoid missing the five-day mark.
Peru: 20 business days for access, 10 business days for rectification, cancellation, or opposition
Peru’s data protection framework requires a maximum of 20 business days to respond to access requests, and 10 business days for rectification, cancellation, or opposition. Several public sector resources and regulated entities publish these SLAs consistently. Because access is longer than correction or deletion, a blended DSAR that combines rights may need split responses, or you can meet the earliest obligation first and follow with access within 20 business days.
Ecuador: 15 days for rights fulfilment under the LOPDP
Ecuador’s 2021 Organic Law on Personal Data Protection, reinforced by 2023 regulations, requires controllers to attend to data subject rights requests within 15 days. That timeline applies across rectification and other rights, so your Ecuador playbook can mirror Brazil’s pace, but without the “immediate confirmation” layer. Maintain a local holiday calendar and a bilingual template set for efficient responses across public and private sector contexts.
Chile: 30 calendar days, under the new Law 21.719
Chile enacted Law 21.719 in December 2024, creating a dedicated data protection agency and setting defined procedures and deadlines. Current guidance indicates the controller must respond to rights requests within 30 calendar days from submission, once extendable for another 30 when justified. That puts Chile closer to the EU’s one-month approach, still faster than many non-EU regimes. Track implementation decrees and agency guidance as procedures mature.
Why South America’s clocks are shorter
The region’s laws emphasise prompt, meaningful control over personal data, often codifying short, business-day clocks, and sometimes layering staged duties, for example, immediate confirmation plus a complete report. These frameworks predate, parallel, or deliberately differentiate from the GDPR’s longer default. The result is an operating environment that rewards automation, standardised evidence capture, and measured triage. Compared with California, where 45 days plus an extension is common, South American controllers face tighter operational tolerances.
The DSAR compliance playbook for LATAM teams
To thrive under five-, ten-, and fifteen-day clocks, your program must combine intake discipline, identity verification, rapid data location, and precise fulfilment. The steps below package repeatable operational moves that keep you ahead of statutory deadlines, while preserving evidence for audits or complaints. Use them as building blocks for each jurisdiction’s specific triggers, counting rules, and extension mechanics, and remember to align your vendor contracts so processors meet your controller-level SLAs.
- Map legal clocks to SLAs
Turn each statutory timeline into a service-level with internal buffers, then publish them to legal, IT, and support teams so everyone works to the same countdown. - Segment request types early
Classify intake as access, rectification, deletion, opposition, or portability, since timelines differ, and some rights are faster than others - Standardise identity verification
Apply proportionate, country-appropriate identity checks, and capture proof of verification to defend your response timeline and denial decisions. - Automate data discovery
Pre-wire searches across core systems and processors, so a single request kicks off standardised queries, collection, and deduplication. - Use staged responses where allowed
Where laws permit confirmation now and full disclosure soon after, send the confirmation quickly, then complete the comprehensive response. - Localise calendars and notices
Build business-day calculators per country, including local holidays, and maintain bilingual templates for acknowledgements and clarifications. - Escalate blockers at T-X
Create time-based escalations, for example, at T-72 hours, to legal or IT when data owners have not responded, and log every nudge. - Log everything for audit
Store the intake, verification steps, system queries, copies of disclosures, and delivery receipts, so you can evidence compliance on demand.
Quick reference: timelines that drive your SLAs
Use this compact comparator to set realistic buffers and staffing for South America and benchmark against EU and California.
- Uruguay, 5 business days
Access and related rights are due in five business days, one of the fastest standards globally. - Argentina, 10 days access, 5 business days rectification/deletion
Separate access from correction, since the five-day SLA is the tighter operational target. - Brazil, 15 days plus immediate confirmation
Send simplified confirmation promptly, then deliver the full disclosure within 15 days. - Colombia, 10 business days consultations, 15 business days complaints
Intake classification determines which clock applies, so route correctly. - Peru, 20 business days access, 10 business days for other ARCO
Split fulfillments when a mixed request is submitted. - Ecuador, 15 days for rights
Aligns closely with Brazil’s pace, though without Brazil’s staged confirmation. - Chile, 30 calendar days, once extendable
New regime with agency oversight, closer to the EU’s one-month model.
How PrivacyEngine helps you meet five-, ten-, and fifteen-day clocks
Short deadlines demand automation, clarity, and proof. PrivacyEngine centralises DSAR intake from web forms and email, applies configurable identity verification, and routes requests by country, right, and requester type. Built-in SLA timers reflect business-day or calendar-day rules, with localised holiday calendars, so teams always see the true deadline. Data discovery workflows orchestrate standardised searches across systems and processors, then assemble clean, redactable packages. Templates handle bilingual acknowledgements, clarifications, and lawful denials. An audit-ready trail captures every action, notice, and delivery, with dashboards for counsel and executives. This operational backbone helps you convert diverse statutory clocks into predictable, repeatable execution.
What’s next
Two developments should be on your radar. First, Chile’s Law 21.719 is in force, and the agency will issue guidance and procedures that refine timelines and documentation requirements, including how extensions should be justified. Monitor rulemaking and adjust workflows accordingly. Second, Argentina has moved a modernisation bill that, among other changes, maintains very short rights timelines, reinforcing the region’s aggressive posture. Track regulator publications and credible practitioner analysis, then update templates, calculators, and evidence standards to match.
Conclusion
South America’s privacy regimes compress DSAR execution into days, not weeks. If you build clear intake, rigorous verification, fast discovery, and evidence-rich fulfilment, these clocks become manageable and repeatable. Treat the timelines above as non-negotiable SLAs, automate wherever possible, and keep a close watch on Chile’s implementation and Argentina’s reform. With the right operating model, and with PrivacyEngine as your workflow and evidence layer, you can meet five-, ten-, and fifteen-day demands confidently, even at scale.
