How to respond to a Data Subject Access Request – Can you refuse?
Under data protection law (confirmed in GDPR) individuals have the right to be aware of, and verify the lawfulness of the processing of their data. The way to exercise this right is to make a Data Subject Access Request (DSAR).
An organisation that receives a DSAR will usually be duty bound to respond, however there are some circumstances under which you may refuse to take action:
1. You are not the data controller. Be careful to assess the true relationship, and whether you genuinely are the data controller. If you are processing for someone else, you may not have to respond.
2. The request is “manifestly unfounded or excessive”. If it is, you can consider charging a reasonable fee, or refuse to act on the request.
3. The request is an abuse of rights. This could be the case if the individual is only making a request to harass or cause substantial expense to the business.
You must exercise extreme caution when deciding not to respond.
If you decide to respond, you should engage with the individual. You could seek to limit the request instead.
Remember you must respond to the request within one month. It is possible to extend the deadline for response by a further couple of months, but you should notify the individual of this extension within the first month.
It is sensible for all organisations that hold data to review their policy on subject access requests and to train staff responsible for requests. If you receive a subject access request, we are happy to help guide you through the process. Please contact Kate Brooks on 01202 057754 or firstname.lastname@example.org