Can You Refuse a Subject Access Request?

Organisations can refuse to comply with a subject access request if it doesn’t meet the exemptions under the UK GDPR.

Record of Processing Activities (ROPA) Training

A subject access request (SAR) is one of the main rights data subjects have over the handling of their personal data. Otherwise known as the right to access, a SAR allows individuals to access copies of their personal information collected by an organisation. 

Data subject access requests (DSARs) are more common than ever. They can be made in writing, verbally or even on social media. Mostly, individuals make DSARs (or SARs) for genuine reasons. But sometimes, they go beyond this scope.

Organisations can refuse to comply with these requests. That’s why there are exemptions in place. Keep reading to find out what exemptions apply and how to handle SARs compliantly going forward. 

When Can You Refuse a Data Subject Access Request? 

You must have legal grounds to deny a subject access request. Refusing one, however, is a decision that you can’t take lightly. And the exemptions leave no leeway for poor excuses. 

As an organisation, you can withhold some or all personal data if it is:

  • Manifestly unfounded: The data subject makes a SAR but doesn’t genuinely intend to exercise their access right. 
  • Manifestly excessive: The request is unreasonable or excessive.

If these exemptions apply, you must provide a written response explaining your refusal to the individual. The data subject can, however, take this to the ICO if they believe their SAR has been unfairly rejected.

When Can a SAR Be Seen as Unfounded or Excessive?

Organisations often refuse to respond to a SAR if it’s manifestly unfounded or excessive

Manifestly Unfounded

A request is manifestly unfounded if the individual has no real means to exercise their rights other than to cause disruption or if the request is malicious in intent. They may also use the request to harass an organisation, with no real purpose other than to cause disruption. 

Abusive language in a SAR doesn’t, however, make it manifestly unfounded, even if it has caused offence.

Example: A disgruntled ex-employee makes a subject access request to their former employer for their personal data. They make unverified claims about a specific employee who conducted their dismissal. The accusations are prompted by malice and personal grudges, making the SAR done out of spite rather than to exercise their rights.   

Manifestly Excessive

In order to determine if a request is manifestly excessive, organisations should consider whether the request is clearly unreasonable. To confirm this, they must consider the nature and context of a request, their resources and whether it overlaps or repeats previous requests. 

This exemption doesn’t mean you can refuse SARs because they’re ‘too much work’. Instead, you need a genuine cause for it being excessive. 

Example: An individual contacts their utility supplier for all their personal data, including their smart meter data. They made an identical SAR two weeks prior and have created a new request to rush their supplier. This request is manifestly excessive as it repeats and overlaps with another request. 

Like any refusal, you must have clear reasons for classifying a DSAR as manifestly unfounded or excessive. The ICO will always do its due diligence into data subject complaints, so be ready for anything. 

The term ‘manifestly’ indicates that organisations should provide evidence which demonstrates why the request is unfounded.

Ignoring SARs Will Cost You 

The ICO receives 35,000 complaints from data subjects every year. Most of these relate to concerns over the rules and regulations surrounding data access. 

Far too often, SAR complaints result from delays, unsatisfactory responses and a lack of trust or understanding in what’s been told. Organisations are required to respond to SARs within one calendar month (unless an extension is applied) and should aim to keep the data subjects updated throughout. 

If you’re refusing a DSAR, don’t just ignore it. Be prepared to discuss your reasons for refusal and open the discussion for further dialogue. Transparency is key here, so put yourselves in their shoes and be open.

New SAR Support Service

Need help managing subject access requests? At Data Protection People, we’ve upgraded our SAR support service to streamline the handling process and keep you compliant. 

Our SAR service is powered by advanced data processing software that breaks down complex data formats for faster response times. We have also introduced new pricing and an improved UX for easier document navigation. 

For a full breakdown, view our poster to see how we compare to other software used for SAR

Get SAR Support at Data Protection People 

Mishandling a subject access request can damage your reputation and finances. Contact our team to discuss how we can make your SAR processes compliant and more efficient.