Partner
Consumers have the right to obtain a copy of their personal data under the right of access stipulated by regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). That said, this right isn’t absolute. Regulators recognize that complying with every request, in every circumstance, can be unreasonable and even harmful to a business. Therefore, the law allows businesses to refuse or limit a Data Subject Access Request (DSAR) in specific situations. Knowing where these exemptions apply is essential because illegally denying access to the requested data can lead to complaints, investigations, and even penalties.
A DSAR, also sometimes referred to as a DSR, is a formal request made by an individual asking a business to disclose their personal data it holds about them. Customers, employees, contractors, and even former clients may submit such requests if the business or organization processes their information.
Generally, a DSAR asks whether data is being collected, what kind of data is held, the purpose and legal basis for processing, how long the data will be retained, where it came from, and whether it has been shared with third parties.
Yes, but only under specific legal grounds. Under CCPA Section 798.145, a business may refuse to comply with a DSAR request if it is manifestly unfounded or manifestly excessive. The same concept applies under the GDPR, but with different procedures.
The term “manifestly” is key here. The issue must be obvious and defensible, not speculative or inconvenient. A request may be manifestly unfounded where there is clear evidence that the individual isn’t genuinely exercising their data protection rights. This may include requests made purely to harass, disrupt business operations, or pressure a business into providing compensation.
For example, if an individual offers to withdraw a DSAR request in exchange for money, this may be bad faith, a legal ground to deny the request. Also, if the request is based on unsubstantiated accusations or is designed as a fishing expedition for unrelated disputes, you may legally refuse to comply. However, in all cases, the context is key. Frustration, aggressive language, or persistence alone may not be enough reason to deny a DSAR request. As a business, you have to assess intent very carefully.
Excessiveness is more about proportionality than motive. A request may be manifestly excessive when it happens repeatedly within a short period, especially when no new data processing has happened. A request may also be excessive if the scope is so broad that the effort and cost of compliance are clearly disproportionate to the individual’s needs. When determining whether to comply with a request or not, you may consider factors such as:
The volume of data
The relationship with the individual
Whether the refusal would cause real harm to the data subject.
In some cases, a business may lawfully withhold information where identity cannot be verified, where disclosure would reveal trade secrets, interfere with legal proceedings, undermine fraud prevention, or conflict with their legal obligations, such as tax or employment laws.
Under the General Data Protection Regulation (GDPR), Article 15 grants data subjects the right to obtain confirmation of whether personal data is being processed, access to that data, and a copy of it. However, Article 12(5) states that a controller may refuse to act on a request that is “manifestly unfounded or excessive,” particularly where the request is repetitive in character. The controller bears the burden of demonstrating that the request is manifestly unfounded or excessive—not the data subject. Recital 63 of the GDPR clarifies that where personal data relating to the data subject is processed by automated means, access to one’s own data should be possible by electronic means and without undue delay, but it also acknowledges that the right should not adversely affect the rights or freedoms of others.
Article 23 of the GDPR provides a broader exception framework, allowing EU member states to restrict data subject rights by legislative measure where restriction is necessary to safeguard important objectives such as national security, public security, prevention or detection of crime, protection of judicial independence, or protection of the data subject or rights of others. These restrictions must respect the essence of fundamental rights and freedoms and be necessary and proportionate. Implementing legislation in member states creates variation in how this exception is applied—meaning a DSAR denial that is legally supported in Germany may not be defensible in the Netherlands under their respective national implementation laws. For businesses operating across multiple EU jurisdictions, a one-size-fits-all denial approach creates compliance risk.
California’s Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., grants California consumers a right to know what personal information a business has collected about them, the categories of sources from which it was collected, the purposes for collection, and the categories of third parties with whom it is shared. The CCPA and its implementing regulations under 11 Cal. Code Regs. § 7023 et seq. permit businesses to deny a DSAR in certain circumstances: when the business cannot verify the identity of the requestor with reasonable certainty; when complying with the request would require the business to disclose trade secrets; when the request is denied on the grounds that the information is not subject to the CCPA because it falls within an exemption (such as employee data covered by the CPRA exemptions); or when disclosure would create a substantial, articulable, and unreasonable risk to the security of personal information.
The CCPA does not authorize denial of DSARs simply because the response would be burdensome. Compliance is the default obligation; denial is the exception requiring specific legal grounding. When a business denies a DSAR, it must inform the consumer of its decision and the reason for the denial, and must inform the consumer of their right to appeal the denial. The California Privacy Protection Agency (CPPA) can investigate DSAR non-compliance, and civil penalties under the CPRA reach $2,500 per unintentional violation and $7,500 per intentional violation, with each non-compliant response to a verified consumer request potentially constituting a separate violation.
One of the most common legitimate grounds for limiting a DSAR response is that full disclosure would reveal personal information about a third party. GDPR Recital 63 acknowledges that access should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property—but courts and data protection authorities have generally held that this exception must be applied narrowly and that redaction of third-party identifiers, rather than wholesale denial of the DSAR, is the appropriate response. The UK Information Commissioner’s Office (ICO) and multiple EU supervisory authorities have published guidance making clear that a data controller cannot withhold an entire dataset simply because it contains some information about third parties—instead, the controller must redact the third-party information and provide the remainder.
In practice, this means that businesses responding to DSARs often need to conduct a document-by-document review of potentially responsive records, redact third-party personal information (names, contact details, identifying information of other employees or customers who appear in records about the requestor), and produce the redacted records with an explanation of what was redacted and why. This process can be expensive and time-consuming, particularly for businesses that have not organized their data in ways that make personal information easily retrievable. Data mapping and record-keeping practices designed with DSAR response in mind can substantially reduce the per-request cost of compliance.
GDPR Article 12(5) permits a controller to either charge a reasonable fee or refuse to act on requests that are “manifestly unfounded or excessive.” Supervisory authorities have interpreted “manifestly excessive” narrowly—a high bar. A single comprehensive DSAR, even if it requires significant work to respond to, is generally not “excessive.” A pattern of requests clearly designed to harass or disrupt business operations—multiple requests per month covering the same information, requests timed to coincide with litigation and designed to generate discovery outside normal legal channels, or requests accompanied by explicit statements of harassing intent—are more likely to qualify. Controllers who invoke this exception must be prepared to demonstrate, with documentation, the specific basis for the characterization.
Under CCPA’s implementing regulations, 11 Cal. Code Regs. § 7023(b)(3), a business is not required to provide information to a consumer more than twice in any 12-month period. This limitation applies on a per-consumer basis and resets annually. Businesses can respond to a second request within 12 months by pointing to their prior response if the personal information covered has not materially changed, and by explaining what updates have occurred. This provision gives businesses a manageable framework for handling repeat requestors without the open-ended “manifestly excessive” standard that GDPR applies.
Businesses must take reasonable steps to verify the identity of a DSAR requestor before responding—and “reasonable” depends on the sensitivity of the data and the type of authentication information already collected from the consumer. GDPR Article 12(6) permits a controller to request additional information to confirm the identity of a data subject when the controller has reasonable doubts about the identity of the person making the request. However, the controller must not request more information than necessary; asking for a passport scan to verify the identity of someone who signed up with an email address is likely disproportionate.
CCPA implementing regulations under 11 Cal. Code Regs. § 7060 et seq. set out tiered verification standards depending on the sensitivity of the information requested and the type of account relationship. For an account holder, the business can match two or more data points provided in the request against data already held. For non-account holders, the business can match three or more data points and require a signed declaration under penalty of perjury. If a business cannot verify identity after reasonable effort, it should inform the requestor of the information needed for verification and retain a record of the attempt. Failure to respond is not appropriate when the underlying issue is verification—the proper response is a request for additional verification information with a clear explanation of what is needed and why.
When a DSAR arrives from a current or former employee, a terminated customer, or any person who is, or appears likely to become, an adverse party in litigation, businesses face a tension between their data protection obligations and their litigation strategy. Responding fully to a DSAR does not preclude asserting attorney-client privilege or work product protection over specific documents in parallel litigation—these are separate legal frameworks. However, businesses sometimes attempt to use litigation holds as a basis for withholding DSAR responses, which most data protection authorities reject. Processing a DSAR is a separate legal obligation from discovery compliance; one does not override the other.
In the UK, courts have addressed the intersection of DSARs and litigation in several cases. In Dawson-Damer v. Taylor Wessing LLP [2017] EWCA Civ 74, the Court of Appeal held that “disproportionate effort” exemptions must be assessed concretely on the facts and cannot be assumed simply because a response would require significant work. In Rudd v. Bridle [2019] EWHC 893 (QB), the court held that a DSAR cannot be denied simply because it is served in the context of anticipated litigation. EU supervisory authorities have generally reached similar conclusions. The GDPR is a data protection statute, and its rights exist independently of litigation context—businesses must respond to valid DSARs while separately managing their litigation posture.
If your business is navigating a complex DSAR—particularly one involving third-party rights, litigation, or claims of excessive requests—contact the privacy attorneys at Revision Legal through the form on this page or call (855) 473-8474. Our internet law practice advises businesses on CCPA and GDPR compliance, DSAR response protocols, and privacy enforcement defense nationwide.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?