In this instalment of our GDPR FAQs mini blog series, we consider whether organisations are able to refuse to respond to a subject access request if responding would be time consuming or costly to the business.
Our Frequently Given Response:
There are very limited circumstances in which organisations are entitled to refuse to respond to subject access requests, namely where the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If you consider a request to be manifestly unfounded or excessive you can request a reasonable fee to deal with the request or refuse to deal with the request. In either case, your decision must be justified and it may be reviewed by the ICO if the data subject makes a complaint. If you wish to charge a fee, it should be determined on the basis of the administrative costs of complying with the request, and you should promptly contact the individual to notify them.
If a subject access request is particularly complex, you may be entitled to extend the period within which you are required to respond (one month) by a further two months.
If you have concerns about responding to subject access requests because of the impact of coronavirus on your organisation, please see our blog.
There are also a number of exemptions set out in the Data Protection Act 2018 (which supplements GDPR) which may mean that you don’t need to include certain types of personal data that you process within your response.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.