<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Get started

    data subject access requests

    Under GDPR, Article 12 (5), a response to a Data Subject Access Request (DSAR) must now be provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or repetitive in character, whereby the Data Controller can either levy a reasonable fee taking into account the administrative burden associated to providing a response or refuse to act upon the request.

    However, with either option the burden of proof relating to the manifestly unfounded, excessive or repetitive nature of the request lies firmly with the data controller, and when choosing not to reply to a request, the Data Controller must, within one month advise the data subject why, and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.

    So what does the removal of the DSAR fee mean exactly?

    Let’s unpack this a little further. Firstly, let’s examine the removal of the fee. In my experience, any Data controller who previously charged a fee for responding to a DSAR, charged anything from £10 to £25 per response. Assuming that a Data Protection Officer (or similar) would be responsible for co-ordinating the response, and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption to make, that a minimum of two people would be involved in a DSAR response, and that at least one hour would be spent in doing so, resulting in a DSAR “earning” the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated to providing the response. So clearly, the fee was always intended to be nominal, and to act as a deterrent to those would seek to frustrate or hinder the usual business operations of a firm, by making vexatious requests.

    However, in reality, such a person would not pay a fee if asked, and would continue to make DSARs, or make contact with the firm in other ways, letter writing, emails and calls to a call centre for example, all aimed at wasting the time and money of the firm – an approach often taken by disgruntled customers, who have, in their mind, had their time and money wasted by the firm. So even with GDPR providing a Data Controller with the right to levy a fee in such circumstances, it is unlikely to bring an effective resolution to the problem of the harassing, and pestering activities of someone who is determined to cause disruption.

    A small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer on the other hand, are likely to paid, although as we have seen above, such a small fee does not run close to covering the time spent responding to a DSAR, even if it is made in a legitimate manner.

    Refusing to respond at all however, may well be a more effective route economically for the Data Controller, although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why it is not responding and why it considers the request to be manifestly unfounded.

    To be manifestly unfounded, will, in the eyes of the Data Controller be a fair and clear presentation of a situation. However, it may, on the other hand, be a manifestly legitimate request in the eyes of the requester, so such a statement would, to a large degree be subjective and therefore debateable by both sides, resulting in further commentary and/or communication between the parties, each proffering its view to the other, until such times as either the requesting party concedes, or complains to the supervisory authority, but now armed with what they will detail as the Data Controller’s unwillingness to act reasonably despite them being able to present tombs of correspondence on the matter with them.

    The conclusion therefore, the removal of the fee itself does very little to aid either the Data Subject or the Data Controller when it comes to responding to a DSAR.

    Leave a comment


    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    9 ways to reduce the risk of bribery and corruption

    Corruption affects all countries, rich and poor. It causes instability, inequality, and poverty, eroding national wealth. Despite the UK Bribery Act coming into force in 2011 as one of the toughest ...

    Read More
    Highlights from the GDPR 2019 Summit

    Almost a year on from the implementation of the GDPR, Skillcast held a breakfast forum for its clients at South Place Hotel. During this session, Skillcast gave a breakdown of the new GDPR Library of ...

    Read More
    Compliance Essentials News - May 2019

    Here's a selection of the most informative compliance news stories this month - regulatory announcements, market studies, and stories about compliance lapses and downright disregard of ...

    Read More
    FCA Compliance News - May 2019

    Here's a selection of news stories from the last month that touch upon the people dimension of regulatory compliance. Select the links or scroll down for more details. 3 firms and 5 individuals are ...

    Read More