Can I charge a fee for dealing with a data subject access request?

read titleRead full title
Published on LexisPSL on 08/01/2018

The following Risk & Compliance Q&A provides comprehensive and up to date legal information covering:

  • Can I charge a fee for dealing with a data subject access request?
  • What is a ‘reasonable fee?’
  • What do I do when charging a fee?
  • How does charging a fee affect the time for responding to the request?

The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects including providing rights of rectification, erasure and restriction of processing, data portability, a right to object to processing and a right not to be subject to a decision based solely on automated processing, including profiling, with strict time limits for complying.

Article 15 of the GDPR provides that the data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed from the data controller, and where it is, access to the personal data and certain further information—a right of access.

The right of access is very similar in the GDPR to previous legislation, with a handful of notable changes, one of which relates to your ability to charge fees for dealing with requests.

Under the previous data protection regime, you could charge a fee for dealing with a data subject access request in most cases; usually a maximum of £10.

Under the GDPR, in most circumstances you must provide a copy of the personal data undergoing processing free of charge.

You may only charge a reasonable fee (based on the administrative cost of providing the information):

  1. for any further copies requested by the data subject

  2. when requests are manifestly unfounded or excessive, in particular because of their repetitive character

See Precedent: Response to data subject request—all rights—charging a

Popular documents