Do we have to reply to a DSAR?

In almost all cases the answer is “yes”.

If a request is within the scope of the Data Protection Act (there are a few exemptions), you are required to comply and must provide the information requested.

You can also refuse to comply with a subject access request if it is:

  • manifestly unfounded; or
  • excessive.

In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the individual why you consider the request to be manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.

This FAQ is in these categories:

Share this page