B
Boring DSAR

Can You Charge for a DSAR? Fees, Costs, and When You Can Say No

When you can charge for a DSAR response, how to calculate a reasonable fee, and comparison across GDPR, CCPA, and PIPEDA.

Last updated: 2026-05-24

The General Rule: DSARs Are Free

Under the GDPR, the UK GDPR, the CCPA, and PIPEDA, the default rule is the same: responding to a data subject access request must be free of charge. You cannot charge people for exercising their legal right to access their own personal data.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the GDPR (Article 12(5) and Article 15(3)), the CCPA (Cal. Civ. Code § 1798.130), PIPEDA, and the UK GDPR, as of the date of publication.

This was not always the case. Before the GDPR took effect in May 2018, organizations in the UK could charge up to 10 pounds for a standard subject access request (and up to 50 pounds for health or education records). That fee regime ended with the GDPR. The shift to free-by-default reflected a simple principle: people should not have to pay to find out what data is held about them.

But "free by default" does not mean "free in every possible circumstance." There are specific, narrow situations where you can charge a fee or refuse to act. Understanding exactly when those exceptions apply — and when they do not — is important for any business that handles DSARs.

When You Can Charge Under GDPR and UK GDPR

Article 12(5) of the GDPR (and the equivalent provision in the UK GDPR) permits you to either charge a reasonable fee or refuse to act when a request is manifestly unfounded or manifestly excessive.

Manifestly Unfounded Requests

A request is manifestly unfounded when the individual has no genuine intention of exercising their data protection rights. The bar is very high. Examples:

  • The requester has explicitly stated they are making the request to harass or disrupt your business
  • The requester has admitted they do not actually want the data
  • The request is clearly part of a pattern of behavior designed to cause problems rather than to obtain personal data

What does not make a request manifestly unfounded:

  • The person is angry with your business
  • You suspect they want the data for a legal claim against you
  • The request is inconvenient or poorly timed
  • The person has also made a complaint about your service

Manifestly Excessive Requests

A request is manifestly excessive if it is clearly unreasonable in scope or frequency. Relevant factors include:

  • Whether the person has made repeated, identical requests over a short period, where the data has not changed between requests
  • Whether the request substantially overlaps with a previous request you have already fulfilled
  • Whether the request appears designed to overwhelm rather than to obtain information

Important: a request is not manifestly excessive simply because it covers a lot of data or requires significant effort. An individual requesting five years of correspondence across multiple systems is making a thorough request, not an excessive one. Volume alone does not make a request excessive.

What Counts as a Reasonable Fee?

If you determine that a request is manifestly unfounded or excessive and decide to charge rather than refuse, the fee must be reasonable and based on the administrative costs of complying with the request.

The GDPR does not specify a formula, but administrative costs typically include:

  • Staff time spent locating, retrieving, and compiling the data
  • Staff time spent reviewing and redacting third-party information
  • Costs of copying or converting data into the requested format
  • Postage or delivery costs (if physical copies are requested)

What you cannot include:

  • A markup or profit margin
  • The cost of your initial decision-making about the request
  • Overhead costs not directly related to fulfilling the specific request
  • Legal fees for analyzing whether you are obliged to respond (that is your problem, not the requester's)

There is no official cap on the fee, but "reasonable" means proportionate. A fee of several thousand pounds for a straightforward request would be difficult to justify. Keep detailed records of how you calculated the fee, because you may need to justify it to a regulator.

Additional Copies

Separately from the manifestly unfounded/excessive exception, Article 15(3) of the GDPR allows you to charge a reasonable fee based on administrative costs when a person requests further copies of data you have already provided. The first copy is always free. If they come back and ask for the same data again (not new data that has been collected since the first request, but the same data), you can charge for the second copy onward.

CCPA: Free With Limited Exceptions

Under the California Consumer Privacy Act, businesses must respond to consumer requests to know free of charge (Cal. Civ. Code § 1798.130). The CCPA is more restrictive about fees than the GDPR.

The Two-Request Rule

The CCPA requires businesses to process requests to know up to twice in a 12-month period at no charge (Cal. Civ. Code § 1798.130(b)). If a consumer submits more than two requests within 12 months, the business may decline to act on additional requests, provided it notifies the consumer and explains why.

Note that this is a per-consumer limit. Two different consumers making one request each does not count as two requests for this purpose.

No Fee Provision

Unlike the GDPR, the CCPA does not include an explicit mechanism for charging a reasonable fee for excessive requests. The remedy for excessive requests under CCPA is to decline the request, not to charge for it. In practice, if a consumer makes more than two identical requests in a year, you can tell them you have already fulfilled their request twice and are not obligated to respond again until the next 12-month period.

Discriminatory Pricing

The CCPA prohibits discriminating against consumers who exercise their privacy rights (Cal. Civ. Code § 1798.125). This means you cannot raise prices, reduce service quality, or impose financial penalties on consumers because they submitted a data request. While you can offer financial incentives for allowing data collection, you cannot punish people for exercising their rights.

PIPEDA: Generally Free

Under Canada's Personal Information Protection and Electronic Documents Act, organizations must respond to access requests at minimal or no cost to the individual (PIPEDA Principle 4.9).

When Fees Are Permitted

PIPEDA allows organizations to charge a fee in some circumstances, but it must be:

  • Minimal — not a deterrent to exercising the right
  • Communicated in advance — the individual must be informed of the approximate cost before the organization proceeds, so they can decide whether to go ahead with the request

The Office of the Privacy Commissioner of Canada has stated that fees should reflect the actual cost of providing the information and should not be used to discourage access requests. In practice, most PIPEDA access requests are fulfilled at no cost.

Provincial Laws

Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) and the provincial privacy laws in Alberta (PIPA) and British Columbia (PIPA) each have their own rules about fees for access requests, but all follow the same principle: fees must be reasonable and should not serve as a barrier to access.

For more on Canadian privacy law, see our PIPEDA jurisdiction guide and Quebec Law 25 guide.

Comparison Across Jurisdictions

Here is how the fee rules compare across the major privacy frameworks:

| Framework | Default Rule | When You Can Charge | Fee Standard | |---|---|---|---| | EU GDPR | Free | Manifestly unfounded/excessive requests; additional copies | Reasonable, based on administrative costs | | UK GDPR | Free | Manifestly unfounded/excessive requests; additional copies | Reasonable, based on administrative costs | | CCPA/CPRA | Free | No fee mechanism; can decline after 2 requests in 12 months | Not applicable | | PIPEDA | Free or minimal cost | Where cost is unavoidable; must notify in advance | Minimal | | Quebec Law 25 | Free or nominal fee | Reasonable transcription costs | Nominal |

The pattern is clear: every major privacy framework treats free access as the default. Charging is the exception, not the rule.

How to Document Your Decision

If you decide to charge a fee or refuse a request on the grounds that it is manifestly unfounded or excessive, documentation is critical. You bear the burden of proving that the request met the threshold.

What to Record

  • The request itself — keep a copy of the original request, including the date received
  • The history — if you are claiming the request is excessive because of repetition, document previous requests from the same individual, the dates, and what data was provided
  • Your reasoning — explain in writing why you consider the request manifestly unfounded or excessive, with reference to the specific facts
  • The decision-maker — record who made the decision and their role
  • The fee calculation — if charging, show how the fee was calculated, broken down by cost category
  • Communication with the requester — keep copies of all correspondence, including your notification of the fee or refusal

What to Tell the Requester

Whether you are charging or refusing, you must inform the requester:

  1. That you consider the request manifestly unfounded or excessive (and whether you are charging or refusing)
  2. The specific reasons for your decision
  3. The amount of the fee (if charging) and how it was calculated
  4. Their right to complain to the relevant supervisory authority (the ICO in the UK, a data protection authority in the EU, or the equivalent regulator in your jurisdiction)
  5. Their right to seek a judicial remedy

You must communicate this within the standard response deadline — one calendar month under GDPR, 45 days under CCPA.

The Practical Reality

In practice, charging for a DSAR or refusing one on grounds of being manifestly unfounded or excessive is rare, and it should be. Here is why:

Regulators are skeptical. The ICO, European data protection authorities, and the Office of the Privacy Commissioner of Canada all take a narrow view of when these exceptions apply. If a requester complains and you cannot clearly demonstrate that the request was genuinely unfounded or excessive, you will be found to have violated the law.

The cost of getting it wrong is higher than the cost of complying. An ICO investigation, a regulatory fine, or a court case will cost far more than simply responding to the request. Even if you believe a request is borderline, the safer path is usually to respond.

Most requests are straightforward. The majority of DSARs come from people who genuinely want to see their data — former employees, customers checking what you hold, individuals exercising their rights out of curiosity or concern. These are legitimate requests, and they should be handled without friction.

For more on handling difficult or repeated requests, see our guides on vexatious and excessive DSARs and DSAR exemptions.

References

Last reviewed: May 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Related Guides