SARs take up time and resources – but can you charge the individual requesting your effort? 

In this article, we’ll answer that question. We’ll discuss the exceptions where you can charge for a SAR and the rules and regulations governing those circumstances.

What the Law Says

GDPR law says that you must generally be provided free of charge. However, there are some exceptions where you can charge a “reasonable fee”. 

“Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information; or (b) refuse to act on the request.” – Article 12(5) UK GDPR. 

When Can You Charge for a SAR?

The two main circumstances where you can charge for a SAR are when the SAR is manifestly “unfounded” or “excessive”. 

“Unfounded” means that the individual clearly has no real intention of exercising their right, i.e. a request that’s made purely to cause disruption or harassment. This could be a former, disgruntled employee who makes a SAR every week to make as much work as possible for the company. 

An “excessive” SAR is one that is repetitive or requests a disproportionate volume of data with little value or justification. For example, you’re the owner of a small business, and a former worker requests all the information that you hold on them. An initial search results in 3,000 emails, which you may  consider burdensome on your resources to handle the request. 

What Does “Reasonable Fee” Mean?

The law says that you can charge a “reasonable fee” for these circumstances, if you choose to respond to the request (as opposed to refusing it outright). But what constitutes “reasonable”?

The fee should cover the administrative costs of dealing with the request, i.e.:

• • Staff time:
    • Assessing whether or not you’re processing the data
    • Locating, retrieving and extracting the data
    • Communicating the response to the individual, even if you’re not providing the data
  • Printing and postage
    • Or other associated costs of transferring the data

• Cost of media (USB stick, CD, etc.)

You should charge fees in a proportionate and consistent way. It’s best practice to include a copy of the criteria you’re using to create the fee in your SAR policy, so you can justify the cost.

How to Handle SAR Fees

Best practice when handling subject access requests that might qualify for charging a fee:

• • Assess whether the request meets the criteria for a fee.
  • Inform the requester as soon as possible:
    • Explain why the request is excessive or unfounded.
    • Provide a fee estimate.
  • Document your decisions as you go along so you can provide reasoning to the ICO if necessary.

• Pause the clock: the 1-month SAR response time doesn’t start until the fee is paid.

What Happens If You Get It Wrong?

You must be sure that charging for a SAR is justifiable – if you get it wrong, you could face punishment from the ICO or end up in court. An individual can complain to the ICO if they feel that you’re wrong to charge a fee, so it pays to be cautious.

One key example of a company getting it wrong is the case of Dawson-Damer v Taylor Wessing LLP, where the company withheld information and implied a fee should be charged. The court ruled that Taylor Wessing had not proven that the request was disproportionate, confirming that it is up to the data controller to demonstrate the request’s difficulty, not the other way around.

Need Help Reviewing a SAR?

Our experts can help with the full SAR lifecycle, from consulting on your processes to reviewing and redacting data to responding to the requests themselves. Get in touch today.