’What

Navigating Special Cases in Personal Data for DSARs

One of the most common questions in data privacy compliance is whether organizations can refuse a DSAR request.

While the right of access under GDPR is fundamental, it is not absolute. There are specific situations where organizations can refuse—or partially refuse—a request. However, these situations are narrowly defined, and misapplying them can lead to serious consequences.

In this blog, we’ll explain when a DSAR can be refused, how GDPR defines acceptable grounds, and how to apply these rules safely in practice.

One of the most common questions in data privacy compliance is whether organizations can refuse a DSAR request.

While the right of access under GDPR is fundamental, it is not absolute. There are specific situations where organizations can refuse—or partially refuse—a request. However, these situations are narrowly defined, and misapplying them can lead to serious consequences.

If you’re new to DSARs, it’s helpful to first understand what a DSAR request is and how responses are typically handled.

In this guide, we’ll explain when a DSAR can be refused, how GDPR defines acceptable grounds, and how to apply these rules safely in practice.

The Right of Access Under GDPR: Not an Unlimited Right

Under GDPR Article 15, individuals have the right to access their personal data and understand how it is processed.

However, GDPR also recognizes that:

  • Organizations process large volumes of data
  • Requests can sometimes be abusive or impractical
  • Other legal rights (such as third-party privacy) must be protected

This is why GDPR allows limited grounds for refusal.

To understand how responses normally work, see how to respond to a DSAR request

When Can You Refuse a DSAR Request?

Under GDPR Article 12(5), organizations can refuse a DSAR request if it is:

  • Manifestly unfounded
  • Manifestly excessive

These terms are intentionally strict and must be interpreted carefully.

What Does “Manifestly Unfounded” Mean?

A request may be considered manifestly unfounded when it lacks genuine intent to exercise data rights.

This often applies in situations such as:

  • Requests made to harass or disrupt
  • Requests linked to disputes or grievances rather than data access
  • Requests with malicious intent

However, proving this requires clear evidence, such as patterns of behavior or communication.

Regulators will expect you to justify your decision—not simply assume bad intent.

What Counts as a “Manifestly Excessive” Request?

A DSAR request may be considered excessive when it imposes a disproportionate burden relative to its purpose.

This is usually assessed based on:

  • Scope of the request
  • Volume of data involved
  • Frequency of similar requests
  • Resources required to fulfill it

For example:

  • Repeated requests for the same data within a short period
  • Extremely broad requests covering many years of data
  • Requests requiring extensive manual review across systems

 Understanding the DSAR timeline under GDPR is important here, as excessive requests often impact deadlines

Repetitive Requests and Frequency Considerations

Not all repeated requests are excessive—but patterns matter.

A request may be considered excessive if:

  • It repeats previous requests without new justification
  • It is submitted shortly after a full response
  • It creates operational strain without adding value

In such cases, organizations may:

  • Refuse the request
  • Provide a limited response
  • Refer to previous responses

The key is demonstrating that the request is unreasonable in context.

Partial Refusals and Redactions

Refusing a DSAR request does not always mean rejecting it entirely.

In many cases, organizations apply partial refusals, including:

  • Redacting third-party personal data
  • Withholding legally privileged information
  • Limiting access where disclosure would infringe others’ rights

This is supported under GDPR Article 15(4).

To understand what must still be included, see what is included in a DSAR request

Partial responses are often the safest approach, balancing transparency with legal obligations.

Risks of Refusing a DSAR Request Incorrectly

Refusing a DSAR request without proper justification can create significant risk.

Regulatory Risk

  • Investigations by data protection authorities
  • Fines up to €20 million or 4% of global turnover

Legal Risk

  • Claims for damages from individuals
  • Escalation to formal complaints

Reputational Risk

  • Loss of customer trust
  • Public enforcement actions

Incorrect refusals are often viewed more seriously than delayed responses, as they indicate misunderstanding of rights.

Real-World Scenarios

Understanding refusal becomes clearer in practical situations.

Scenario 1: Repetitive Request

An individual submits multiple DSARs within weeks requesting the same data.

The organization may refuse subsequent requests as excessive.

Scenario 2: Overly Broad Request

A request asks for “all data ever collected” over many years.

The organization may request clarification or limit scope.

Scenario 3: Third-Party Data Conflict

A DSAR includes emails involving multiple individuals.

The organization provides data but redacts third-party information.

These scenarios show that refusal is often about proportionality, not rejection.

Best Practices for Refusing a DSAR Request

To handle refusals safely:

Document Your Decision

Keep records of:

  • Why the request was refused
  • Evidence supporting your decision

Communicate Clearly

Explain:

  • Why the request is refused
  • What alternatives are available
  • The right to complain to authorities

Offer Alternatives

Instead of a full refusal:

  • Narrow the scope
  • Provide partial data
  • Refer to previous responses

Follow a Structured Process

Use a consistent approach, such as a DSAR request checklist, to avoid inconsistent decisions.

Ensure Proper Verification

Before refusing, confirm the request is valid through identity verification

How Refusal Fits Into the DSAR Process

Refusal is not a separate action—it is part of the broader DSAR workflow.

It must align with:

  • Response timelines
  • Verification steps
  • Data identification processes

Frequently Asked Questions (FAQs)

1. Can a DSAR request be refused under GDPR?

Yes, but only if it is manifestly unfounded or excessive.

2. What is a manifestly excessive DSAR request?

A request that imposes disproportionate effort relative to its purpose.

3. Can you partially refuse a DSAR?

Yes, by redacting or withholding specific information.

4. Do you need to explain a refusal?

Yes, organizations must provide clear justification.

5. What happens if a DSAR is refused incorrectly?

It may result in complaints, fines, or legal action.

6. Can repeated DSAR requests be refused?

Yes, if they are repetitive and lack new justification.

Conclusion

Refusing a DSAR request under GDPR is possible—but only under strict and carefully defined conditions.

Organizations must approach refusals with:

  • Clear reasoning
  • Proper documentation
  • Transparent communication

Handled correctly, refusal protects both the organization and the rights of individuals.

Handled incorrectly, it becomes a major compliance risk.

As DSAR volumes continue to grow, understanding when and how to refuse requests is essential for maintaining both compliance and operational efficiency.