Table of Contents
In Short
- Subject access requests (SARs) allow individuals to request access to their personal data under UK GDPR.
- Businesses can refuse SARs if the request is manifestly unfounded, excessive, or if legal exemptions apply.
- Refusals must be justified with clear communication and documentation.
Tips for Businesses
Ensure each SAR is assessed individually, and carefully document justifications for any refusals. Comply with transparency obligations when rejecting a request by informing individuals of their rights and options to challenge the decision.
Data subjects have several rights under the UK GDPR, including the right to access the personal data your organisation holds about them. Your business may face a problematic ex-employee or a demanding customer who continuously sends subject access requests (SARs) and wonder what to do. SARs can be time-consuming and complex, and you may question whether your business must always comply with such requests. Under the UK GDPR, there are circumstances where your business can refuse to respond to SARs. This article will explore some common grounds companies can consider relying upon to say no to a subject access request.
What is a Subject Access Request?
A SAR allows individuals to request a copy of their personal data held by your business. It is a core right under the UK GDPR, which aims to afford individuals transparency and control over the use of their personal information.
Individuals are entitled to know whether your business processes their data, obtain a copy of the personal data, and receive additional information such as why their data is being processed, who it is shared with, and how long it will be stored.
Can You Refuse to Comply with a Subject Access Request?
Your business can refuse to comply with a subject access request under specific conditions.
Common grounds to deny the request include the following:
An Exemption Applies
The UK GDPR contains various legal exemptions that you could use to avoid complying with a SAR request.Examples of these exemptions include legal professional privilege, preventing crime, and safeguarding third-party data. However, these exemptions must be carefully considered on a case-by-case basis, and you should ensure that they are not applied broadly or as blanket policies.
The Request is Manifestly Unfounded
Suppose the individual has no genuine intent to exercise their right to access their data but instead attempts to do so to harass or disrupt your business. In that case, you may be able to justify refusing the request.
For example, if an individual makes repeated SARs and offers to withdraw them in exchange for compensation or a benefit, the request would be considered manifestly unfounded.
The Request is Manifestly Excessive
You may refuse a request if it imposes an unreasonable burden on your business due to the amount of data requested or the frequency of requests, making compliance impractical. However, you should not consider the request as excessive just based on the volume of data requested. You must assess whether the request is unreasonable when balanced against the individual’s need for the information.
Many businesses may face a situation where a disgruntled employee, perhaps gearing up for a claim or having raised a grievance, submits a SAR demanding access to all documents, emails, and correspondence that mention them. This tactic is a way to gather evidence for potential claims, and such requests can significantly strain company resources. However, suppose your business can demonstrate that the request is being used maliciously, intending to disrupt, or imposes an unreasonable burden due to the volume or nature of the data requested. In that case, they may be able to justify refusing the SAR.
However, your business must assess each SAR individually based on its specific context, as the UK data protection regulator’s guidance discourages blanket refusals. You should also keep records documenting your justifications for refusal to demonstrate compliance with the UK GDPR.
What Does Manifestly Unfounded Mean?
A request is manifestly unfounded when it is clear that the individual is not genuinely interested in their personal data but has malicious intent. This could include submitting the request to harass or disrupt your business or offering to drop the request in exchange for a benefit such as financial compensation.
What Does Manifestly Excessive Mean?
A subject access request becomes manifestly excessive if fulfilling it places a disproportionate burden on your business in terms of resources or cost.
To assess whether a request is excessive, you should consider factors such as the nature of the relevant data. You should also consider whether the request repeats previous SARs, and the effort required to respond compared to the benefit for the individual. For example, numerous requests within a short period, with no significant change in data, may be excessive.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Exemptions May Allow Refusal?
Several critical exemptions under the UK GDPR allow businesses to withhold specific data in response to a SAR.
These include:
Crime Prevention and Taxation
If releasing the personal data could interfere with crime prevention, law enforcement, or tax collection, your business can refuse the request.
Legal Professional Privilege
Personal data is exempt from a SAR if it falls under legal professional privilege.
You can refuse a subject access request if the data comes under legal professional privilege. This privilege covers confidential communications between a client and their lawyer for the purpose of giving or receiving legal advice or preparing for litigation. This privilege applies only to confidential exchanges where the dominant purpose is legal advice or litigation.
This factsheet sets out how your business can become GDPR compliant.
Third-Party Data
If responding to a SAR request means you would disclose personal information about another individual, you can refuse to provide that information unless the third party consents or it is reasonable to release it without their permission. You should carefully assess the situation prior to disclosure of any third-party data without consent.
What Should Your Business Do If You Refuse a Request?
If your business refuses a subject access request, you must notify the individual and explain your reasoning.
This includes:
- provide a clear explanation for the refusal and why;
- informing the individual of their right to challenge your decision by complaining to the Information Commissioner’s Office; and
- advising the individual of their right to enforce their request.
Key Takeaways
There are various grounds under which you may be able to refuse a SRA. For example, if you can justify that the request is manifestly unfounded, manifestly excessive, or if a legal exemption under the UK GDPR applies. However, you should consider each request on a case-by-case basis and fully justify any refusals. Clear documentation recording your decision-making process and transparent communication with the individual are also vital to ensure compliance with the UK GDPR rules.
If your business needs advice on refusing a subject access request, our experienced data privacy lawyers can assist you through LegalVision’s membership service. For a low monthly fee, you will have unlimited access to our lawyers, who can answer your questions and draft or review your documents. Call us today at 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The UK GDPR is the crucial law which governs how businesses process personal data. It sets out principles for lawful data processing and gives individuals rights, such as access to personal data.
A subject access request is a legal right under the UK GDPR that allows individuals to request access to the personal data a business holds about them. The request also entitles individuals to supplementary information, such as the reasons for processing their data and any sharing with any third parties.
We appreciate your feedback – your submission has been successfully received.
