DSAR Exemptions: When Can You Legally Refuse or Charge for a Request?

The Default: Free and Obligation to Respond

Under GDPR Article 12(5), the first copy of personal data must be provided free of charge. However, the regulation provides mechanisms for organizations to manage abusive or excessive requests.

Manifestly Unfounded Requests

You may refuse to act on a DSAR if it is manifestly unfounded. A request may be considered manifestly unfounded if:

• The requester has no intention of exercising their data protection rights but is using the DSAR mechanism for other purposes (e.g., general discovery in litigation, harassment, or collateral damage to the organization).
• The request is made in bad faith or is clearly vexatious.

Important: The bar for "manifestly unfounded" is very high. Mere inconvenience or cost to your organization does not make a request unfounded. You must be able to demonstrate specific reasons why the request is not a genuine exercise of data protection rights.

Excessive Requests

You may charge a reasonable fee or refuse to act if requests are excessive, in particular because of their repetitive character. Factors to consider:

• How many requests has the individual made in a recent period?
• How much has changed since the last request was fulfilled?
• Whether the individual is making requests at unreasonable intervals.

If you decide to charge, the fee must be reasonable and based on the administrative cost of providing the information. You cannot charge a deterrent fee designed to discourage legitimate requests.

Third-Party Rights

A DSAR response must not adversely affect the rights and freedoms of others. This means:

• You may redact information that identifies other individuals (unless those individuals consent to disclosure).
• Trade secrets and confidential business information may be redacted.
• Legal privilege may protect certain information from disclosure.

However, the existence of third-party data in the records does not justify refusing the entire request. You must provide as much personal data as possible while redacting only what is necessary to protect others' rights.

Other Exemptions

• Legal obligations: Certain data may be exempt from disclosure if it is required for legal compliance (e.g., anti-money laundering records).
• Public interest: Some exemptions apply for data processed in the public interest or for research purposes.
• National security: Member States may restrict data subject rights for national security purposes.
• CCPA-specific: California exempts certain employee and B2B data from some DSAR obligations.

Procedural Requirements When Refusing

If you decide to refuse or charge for a request, you must:

1. Inform the data subject of the refusal and the reasons within 30 days.
2. Inform them of their right to lodge a complaint with a supervisory authority.
3. Inform them of their right to a judicial remedy.

The burden of proof for demonstrating that a request is manifestly unfounded or excessive rests on the controller.

Jerisaliant's DSAR module includes exemption assessment workflows with guided decision trees, ensuring refusals are properly justified and documented.