Refusing a data subject request—what is ‘manifestly unfounded or excessive’?

read titleRead full title
Published on LexisPSL on 09/11/2020

The following Risk & Compliance Q&A provides comprehensive and up to date legal information covering:

  • Refusing a data subject request—what is ‘manifestly unfounded or excessive’?
  • What makes a request manifestly unfounded?
  • What makes a request manifestly excessive?
  • General considerations

The General Data Protection Regulation (GDPR) provides for enhanced rights for data subjects, including providing rights of access, rectification, erasure and restriction of processing, data portability, a right to object to processing and a right not to be subject to a decision based solely on automated processing, including profiling, with strict time limits for complying.

Where a data subject request is manifestly unfounded or excessive, in particular because of its repetitive character, you can either:

  1. charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested—see Precedent: Response to data subject request—all rights—charging a fee or extension of time to respond

  2. refuse to act on the request

Each request must be considered individually on a case-by-case basis.

You bear the burden of demonstrating the request is manifestly unfounded or excessive. In order to do so, you should keep a record of your reasoning.

Where you intend to refuse a data subject request, you must inform the data subject, no later than one month after receiving the request, of:

  1. the reasons for not taking action, and

  2. the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy

Subtopic: Data protection compliance—data subjects rights includes a range of Precedents you can use to respond to data subjects when you are unable to comply with their request.

In deciding

Popular documents