DSARs are the result of the GDPR’s (General Data Protection Regulation) right of access.
This is one of eight data subject rights enshrined in the Regulation. It enables individuals to request the personal information that an organisation is processing about them.
When an individual submits a DSAR, the organisation must provide the relevant information within one calendar month from receipt.
However, there are circumstances when organisations are permitted to deny a request. This blog looks at DSAR exemptions and explains when they apply.
Can you refuse to comply with a DSAR?
Organisations can refuse a DSAR if they believe that the request is manifestly unfounded or manifestly excessive.
Alternatively, they can charge a fee to complete requests that are deemed manifestly unfounded or excessive.
Unfortunately, the GDPR doesn’t clarify when a request can be considered unfounded or excessive. However, the UK’s data protection authority, the ICO (Information Commissioner’s Office), has broadened its definition.
What does “manifestly unfounded” mean?
A DSAR is manifestly unfounded if the individual has no intent to exercise their right of access or if the request is “malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption”.
This might be the case, for example, if the individual offers to withdraw the DSAR in return for some sort of benefit.
The ICO notes that a DSAR is also manifestly unfounded if the request contains unsubstantiated accusations about the organisation’s practices.
You should be careful with these examples, however. The ICO states that although requests that contain aggressive or abusive language are unacceptable, this doesn’t necessarily make a request manifestly unfounded.
Indeed, there is no simple set of guidelines that determines when something is or isn’t manifestly unfounded. Organisations must always consider a request in the context that it was made.
What does “manifestly excessive” mean?
A DSAR can be manifestly excessive in several ways. The first relates to the frequency with which an individual submits a request.
If someone submits multiple DSARs in a short period – particularly if the organisation has not begun any new processing activities – the request is almost certainly excessive.
A request can also be excessive if the effort required to complete it is disproportionate to the burden or costs involved in providing the information.
Organisations should consider several things, including:
- The nature of the requested information;
- The context of the request;
- The organisation’s relationship with the individual; and
- Whether a refusal to provide the information (or to acknowledge that they have it) would cause substantive damage to the individual.
Organisations should also consider their available resources, whether the DSAR repeats previous requests made recently and whether this request overlaps with others.
What steps should I take in refusing a DSAR?
When determining whether a DSAR is manifestly unfounded or excessive, organisations must take each request on its own merit.
You cannot have a blanket policy that states that all requests are unfounded or excessive if they are sent in a particular way.
You must also understand that the word “manifestly” infers that the unfoundedness or excessiveness of a request must be clear and obvious. If you are unsure whether a request meets the criteria, you should err on the side of caution and fulfil it.
However, if you are confident that the request isn’t justified, you must be able to demonstrate this to the individual and the ICO.
As part of this, you must inform the individual why you believe their request is manifestly unfounded or excessive. You must also remind them of their right to make a complaint to the ICO and to seek to enforce their right through the courts.
DSAR compliance with GRCI Law
Although the ICO has clarified some of the technical issues around DSARs, many organisations are still unsure about the practicalities surrounding the right of access.
What should the first step of the process be? Should there be a system to determine if a request is manifestly unfounded or excessive, or whether further clarification is needed?
If you need advice or support answering these questions, GRCI Law is here to help.
Our DSAR as a Service provides the guidance you need to manage the process quickly and effectively.
Our team of experienced lawyers, barristers and cyber security experts will manage the response process on your behalf.
This includes verifying the validity of the request, confirming the individual’s identity, liaising with your organisation to produce the necessary information and documenting the necessary facts related to the request.