Can you refuse to comply with a Data Subject Access Request (SAR)? (Updated 2025)
The right of access under GDPR gives data subjects the right to obtain a copy of their personal data. This helps them understand how and why you are using their data and whether you are doing it lawfully.
However, GDPR, DPA 2018, and ICO recognise that, in some circumstances, you might have a legitimate interest in not complying with a Subject Access Request (SAR), so there are a number of exceptions from the right of access. Therefore, you can refuse to comply with a request fully or partially, depending on the specific case.
Not all of the exemptions apply in the same way. You should look at each exemption carefully to see how it applies to a particular SAR. Some exemptions apply because of the nature of the personal data in question, e.g., information contained in a confidential reference. Others apply because disclosure of the information is likely to prejudice your purpose, ie it would have a damaging or detrimental effect on what you are doing.
The ICO’s detailed guideline stipulates that you can refuse to comply with a SAR if the request is manifestly unfounded or manifestly excessive. For more information, please see below.
What does manifestly unfounded mean?
A request may be manifestly unfounded if:
• The individual clearly has no intention to exercise their right of access (for example, an individual makes a request but then offers to withdraw it in return for some form of benefit from the organisation); or
• The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption.
This, however, does not mean that the request is unfounded per se. You must consider a request in the context in which it is made. If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.
What does manifestly excessive mean?
It means that the request is clearly or obviously unreasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request.
This will mean taking into account all the circumstances of the request, including:
• the nature of the requested information;
• the context of the request and the relationship between you and the individual;
• whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
• your available resources;
• whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
• whether it overlaps with other requests (although if it relates to a completely separate set of information, it is unlikely to be excessive).
A request is not necessarily excessive just because the individual requests a large amount of information. As stated above, you must consider all the circumstances of the request. You should also consider asking the individual for more information to help you locate the information they want and whether you can make reasonable searches for the information.
Specifically, there is no obligation to comply with a SAR where:
• The request is for solely personal or household activity.
• A claim of legal professional privilege applies (the requested information relates to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections, and various corporate finance services).
• It relates to personal data used for management forecasting or planning, and complying with a DSAR would reasonably prejudice the conduct of the business or activity. For example, the data relates to a staff redundancy which has yet to be announced.
• Information about other people involved – access to such data will not be granted unless the individuals involved consent to disclosing their data.
• Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six month period of the original request will be considered a repeat request
• Publicly available information
• Opinions given in confidence or protected by copyright law
• Privileged documents
Exemptions set out in Schedules 2 or 3 of the DPA 2018
• Crime and taxation: general
• Crime and taxation: risk assessment
• Legal professional privilege
• Functions designed to protect the public
• Regulatory functions relating to legal services, the health service and children’s services
• Other regulatory functions
• Judicial appointments, independence and proceedings
• Journalism, academia, art and literature
• Research and statistics
• Archiving in the public interest
• Health, education and social work data
• Child abuse data
• Management information
• Negotiations with the requester
• Confidential references
• Exam scripts and exam marks
• Other exemptions
What should you do if we refuse to comply with a request?
You should inform the data subject of the following information:
• The reasons why you decided not to comply with the request;
• their right to make a complaint to the supervisory authority;
• their right to seek enforcement of this right before the courts.
Consequences of Wrongfully Denying a SAR
If an organisation wrongfully denies a Data Subject Access Request (SAR), it risks serious consequences. The individual may file a complaint with the relevant supervisory authority, such as the ICO in the UK, which could lead to an investigation. If the authority finds non-compliance, the organisation may face enforcement action, including fines, legal orders to provide the data, and reputational damage. Courts may also be involved if the data subject seeks to enforce their rights directly.
Frequently Asked Questions:
What is a Data Subject Access Request (SAR)?
A Data Subject Access Request (SAR) is a formal request made by an individual to obtain a copy of their personal data held by an organisation. It allows the individual to understand how and why their data is being used and to check that it is being processed lawfully.
Do SAR rules apply to non-EU companies?
Yes. If a non-EU company processes the personal data of individuals in the EU or EEA, it must comply with GDPR, including SAR requirements. The law applies based on the data subject’s location, not the organisation’s.
How long does a business have to respond to a SAR?
A business must respond to an SAR without delay and within one month of receiving the request. If the request is complex or numerous, this period may be extended by two additional months, but the individual must be informed of the extension and its reasons.
How should an organisation respond to a SAR refusal?
If an organisation refuses to comply with a SAR, it must inform the individual of its refusal. It must also advise them of their right to complain to the supervisory authority and seek legal remedy through the courts.