Consumers have the right to obtain a copy of their personal data under the right of access stipulated by regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). That said, this right isn’t absolute. Regulators recognize that complying with every request, in every circumstance, can be unreasonable and even harmful to a business. Therefore, the law allows businesses to refuse or limit a Data Subject Access Request (DSAR) in specific situations. Knowing where these exemptions apply is essential because illegally denying access to the requested data can lead to complaints, investigations, and even penalties.

What is a Data Subject Access Request?

A DSAR, also sometimes referred to as a DSR, is a formal request made by an individual asking a business to disclose their personal data it holds about them. Customers, employees, contractors, and even former clients may submit such requests if the business or organization processes their information.

Generally, a DSAR asks whether data is being collected, what kind of data is held, the purpose and legal basis for processing, how long the data will be retained, where it came from, and whether it has been shared with third parties.

Can a Business Refuse a DSAR?

Yes, but only under specific legal grounds. Under CCPA Section 798.145, a business may refuse to comply with a DSAR request if it is manifestly unfounded or manifestly excessive. The same concept applies under the GDPR, but with different procedures.

When Is a Request Manifestly Unfounded?

The term “manifestly” is key here. The issue must be obvious and defensible, not speculative or inconvenient. A request may be manifestly unfounded where there is clear evidence that the individual isn’t genuinely exercising their data protection rights. This may include requests made purely to harass, disrupt business operations, or pressure a business into providing compensation.

For example, if an individual offers to withdraw a DSAR request in exchange for money, this may be bad faith, a legal ground to deny the request. Also, if the request is based on unsubstantiated accusations or is designed as a fishing expedition for unrelated disputes, you may legally refuse to comply. However, in all cases, the context is key. Frustration, aggressive language, or persistence alone may not be enough reason to deny a DSAR request. As a business, you have to assess intent very carefully.

When is a Request Manifestly Excessive?

Excessiveness is more about proportionality than motive. A request may be manifestly excessive when it happens repeatedly within a short period, especially when no new data processing has happened. A request may also be excessive if the scope is so broad that the effort and cost of compliance are clearly disproportionate to the individual’s needs. When determining whether to comply with a request or not, you may consider factors such as:

The volume of data

The relationship with the individual

Overlap with previous requests

Available resources

Whether the refusal would cause real harm to the data subject.

Other Lawful Grounds for Refusing or Limiting Access

In some cases, a business may lawfully withhold information where identity cannot be verified, where disclosure would reveal trade secrets, interfere with legal proceedings, undermine fraud prevention, or conflict with their legal obligations, such as tax or employment laws.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.