Introduction to this document

GDPR data subject access clarification/refusal

Before responding to a data subject access request, the UK GDPR says that you can use reasonable means to verify the individual’s identity, or you can ask them to be more specific about the data sought where you process large quantities of personal data about them. You can also request a fee, or refuse to respond, if the request is manifestly unfounded or manifestly excessive.

Response requirements

The UK GDPR allows employees and other individuals to obtain a copy of their personal data from you by making a data subject access request (DSAR). You must normally respond without charging a fee and “without undue delay” and at the latest within one month of receipt of the request, although there are provisions enabling this time limit to be extended by two months if the request is complex. The one-month time limit is calculated from the day you receive the request, whether it is a working day or not, until the corresponding calendar date in the next month. If this is not possible because the following month is shorter and there is no corresponding calendar date, the date for response is the last day of the following month. If the corresponding date falls on a weekend or public holiday, you have until the next working day to respond.

Further information and identity issues

Where you process a large quantity of personal data about an individual, the UK GDPR permits you to ask them to clarify the information that their DSAR relates to if you genuinely require this in order to respond to the DSAR. Our first optional paragraph in our GDPR Data Subject Access Clarification/Refusal provides for this. You also don’t have to comply with a DSAR if you can’t identify the individual who’s made the request. So, where you have reasonable doubts concerning their identity, you can request them to provide such additional information necessary to confirm their identity before complying with their DSAR. You should use all reasonable means to verify the individual’s identity. It’s less likely you’ll need to confirm identity with existing staff as you have an ongoing relationship with them. The second optional paragraph in our letter covers this scenario

Manifestly unfounded or manifestly excessive

You must provide a copy of the personal data in response to a DSAR free of charge. However, you can charge a reasonable fee, based on your administrative costs of providing the information (which can include staff time), when a request is “manifestly unfounded or “manifestly excessive”, particularly if it’s repetitive. The burden is on you to demonstrate the manifestly unfounded or excessive character of the request and this exception is likely to be very narrowly defined. Our third optional paragraph requests a fee and sets out how it should be paid. In the case of verification of identity or request for a fee, you don’t need to comply with the DSAR until the individual has verified their identity or paid the fee, and the one-month time limit for responding doesn’t begin to run until that happens. However, where you request the individual to specify the information that their DSAR relates to, the one-month time limit is simply paused whilst you’re waiting for the employee to clarify their request (known as “stopping the clock”). Where a DSAR is manifestly unfounded or manifestly excessive, in particular because it’s repetitive, your other option is to refuse to respond. Again, the burden is on you to demonstrate this and it’s likely to have a very narrow application. Where you refuse to act on a request, you must set out your written reasons why to the individual without undue delay and at the latest within one month of receipt of the DSAR. You must also inform them of their right to complain to the Information Commissioner’s Office or to seek a judicial remedy in the courts. Our fourth optional paragraph covers an outright refusal.