Under GDPR, Article 12 (5), a response to a Data Subject Access Request (DSAR) must now be provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or repetitive in character, whereby the Data Controller can either levy a reasonable fee taking into account the administrative burden associated to providing a response or refuse to act upon the request.
However, with either option the burden of proof relating to the manifestly unfounded, excessive or repetitive nature of the request lies firmly with the data controller, and when choosing not to reply to a request, the Data Controller must, within one month advise the data subject why, and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.
So what does the removal of the DSAR fee mean exactly?
Let’s unpack this a little further. Firstly, let’s examine the removal of the fee. In my experience, any Data controller who previously charged a fee for responding to a DSAR, charged anything from £10 to £25 per response. Assuming that a Data Protection Officer (or similar) would be responsible for co-ordinating the response, and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption to make, that a minimum of two people would be involved in a DSAR response, and that at least one hour would be spent in doing so, resulting in a DSAR “earning” the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated to providing the response. So clearly, the fee was always intended to be nominal, and to act as a deterrent to those would seek to frustrate or hinder the usual business operations of a firm, by making vexatious requests.
However, in reality, such a person would not pay a fee if asked, and would continue to make DSARs, or make contact with the firm in other ways, letter writing, emails and calls to a call centre for example, all aimed at wasting the time and money of the firm – an approach often taken by disgruntled customers, who have, in their mind, had their time and money wasted by the firm. So even with GDPR providing a Data Controller with the right to levy a fee in such circumstances, it is unlikely to bring an effective resolution to the problem of the harassing, and pestering activities of someone who is determined to cause disruption.
A small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer on the other hand, are likely to paid, although as we have seen above, such a small fee does not run close to covering the time spent responding to a DSAR, even if it is made in a legitimate manner.
Refusing to respond at all however, may well be a more effective route economically for the Data Controller, although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why it is not responding and why it considers the request to be manifestly unfounded.
To be manifestly unfounded, will, in the eyes of the Data Controller be a fair and clear presentation of a situation. However, it may, on the other hand, be a manifestly legitimate request in the eyes of the requester, so such a statement would, to a large degree be subjective and therefore debateable by both sides, resulting in further commentary and/or communication between the parties, each proffering its view to the other, until such times as either the requesting party concedes, or complains to the supervisory authority, but now armed with what they will detail as the Data Controller’s unwillingness to act reasonably despite them being able to present tombs of correspondence on the matter with them.
The conclusion therefore, the removal of the fee itself does very little to aid either the Data Subject or the Data Controller when it comes to responding to a DSAR.