DSAR Exemptions: When You Can (and Can't) Refuse a Request

Can You Refuse a DSAR?

Yes, sometimes. But much less often than you might hope.

The right of access under GDPR, UK data protection law, and CCPA is broad. People are entitled to their personal data, and the default position is that you must provide it. But there are specific, defined circumstances where you can refuse a request entirely, withhold certain data, or charge a fee.

This guide covers every major exemption in practical terms — what it actually means, when it genuinely applies, and when businesses try to use it as an excuse (and get caught).

If you need the basics on what a DSAR is and how to respond, start with our DSAR overview and step-by-step response guide.

The Ground Rules

Before we get into specific exemptions, here are three rules that apply to all of them:

1. Exemptions are narrow. They exist for specific situations, not as general get-out clauses. If you are looking for a reason not to respond, you are approaching this wrong.

2. You must still respond. Even when you are refusing a request or withholding data under an exemption, you must tell the requester that you are doing so, explain why (to the extent you can without defeating the purpose of the exemption), and inform them of their right to complain to the relevant regulator.

3. The burden of proof is on you. If you claim an exemption applies, you need to be able to justify it. "We thought it might apply" is not a defense. Document your reasoning.

Exemption 1: Manifestly Unfounded or Excessive Requests

This is the exemption businesses ask about most. Under GDPR Article 12(5) (GDPR Article 12(5)), you can refuse to act on a request that is manifestly unfounded or manifestly excessive.

What "Manifestly Unfounded" Means

A request is manifestly unfounded when the individual has no genuine intention of exercising their right of access. In practice, this is a very high bar. Examples that might qualify:

• The requester has openly stated they are making the request to cause your business problems, not because they want their data
• The request is part of a pattern of clearly vexatious behavior (and you can document this)
• The requester has admitted they do not actually want the data

Examples that do not qualify:

• The requester is angry with your business (people often exercise their data rights when they are unhappy — that is normal and legitimate)
• The requester is a difficult customer
• You suspect they might use the data in a legal claim against you (they are allowed to do this)
• The request is inconvenient or time-consuming for you
• The person has also submitted other complaints or requests at the same time

The ICO has been clear: a request is not manifestly unfounded simply because the person has an ulterior motive. Unless the request is made with clearly no genuine basis in data protection rights, it is valid.

What "Manifestly Excessive" Means

A request is manifestly excessive if it is clearly disproportionate, taking into account:

• Whether it is a repeated request and the data has not changed since the last response
• Whether the person is making overlapping or substantially identical requests
• The volume of work required relative to the scope of the request

Key point: "manifestly excessive" is about the request itself, not the effort it takes you to respond. A request that covers five years of correspondence across multiple systems is not excessive — it is thorough. A request that is the person's fifth identical request this month might be.

What You Can Do

If a request is manifestly unfounded or excessive, you can either:

1. Charge a reasonable fee based on the administrative costs of responding, or
2. Refuse to act on the request entirely

Either way, you must:

• Inform the requester of your decision
• Explain why you consider the request unfounded or excessive
• Inform them of their right to complain to the supervisory authority and to seek a judicial remedy

And you must do this within the standard deadline (one month under GDPR).

Our Honest Advice

Unless you have very clear evidence that a request is being used to harass your business, do not try to use this exemption. Regulators view it skeptically, courts interpret it narrowly, and getting it wrong exposes you to more liability than just responding would have.

Exemption 2: Third-Party Data

This is not really an exemption in the sense of refusing a request — it is a limitation on what you must disclose. When the data you hold about the requester also contains personal data about other identifiable individuals, you generally must not disclose that third-party data.

How This Works

Suppose a customer DSARs you and your records include email threads involving other customers, or internal notes that name other individuals. You must provide the requester's data, but you should redact information about other people unless:

• The other person has consented to the disclosure, or
• It is reasonable to disclose the information without consent (considering factors like the type of data, the other person's expectations of privacy, and whether they are a public figure)

What to Redact

• Names and contact details of other customers or individuals
• Any personal information about third parties that is not relevant to the requester's own data
• Sensitive personal data about other people (health information, for example)

What You Probably Do Not Need to Redact

• The names of your own employees who dealt with the requester (this is generally considered reasonable to disclose — the ICO has confirmed this)
• Generic role titles ("your account manager" rather than a specific name, if you prefer, though the name is usually fine)
• Information the requester already knows (such as the name of their own family member who is also referenced in the data)

The Common Mistake

Businesses sometimes use "third-party data" as an excuse to withhold entire documents. That is wrong. The correct approach is to redact the third-party information and provide the rest. Withholding an entire email thread because one line mentions another person's name is not proportionate.

Exemption 3: Legal Professional Privilege

Communications between you and your legal advisors that are subject to legal professional privilege are exempt from disclosure. This covers:

• Legal advice privilege — communications between you and your lawyer for the purpose of giving or receiving legal advice
• Litigation privilege — documents created for the dominant purpose of existing or contemplated legal proceedings

What This Covers

• Emails between you and your solicitor about a legal matter involving the requester
• Legal opinions prepared by your lawyer
• Documents prepared for the purpose of litigation

What This Does Not Cover

• All communications with your lawyer regardless of whether they contain legal advice (routine correspondence is not automatically privileged)
• Internal discussions about legal strategy that do not involve actual legal advice
• Documents that happen to be in your lawyer's possession but are not privileged in nature

Practical Application

If an employee DSARs you during an employment dispute, you do not have to disclose your lawyer's advice about the dispute. But you do have to disclose the employee's own personal data — their performance reviews, emails, HR records, and so on — unless a specific exemption applies to each item.

Privilege protects the legal advice, not all data related to the matter.

Exemption 4: Confidential References

Under the UK Data Protection Act 2018 (Schedule 2, Part 3) (GDPR Article 23), you are not required to disclose confidential references given by you for the purposes of education, training, employment, or the provision of services.

Important distinctions:

• This covers references you gave — not references you received. If you received a reference about the requester (for example, from their former employer), you may still need to disclose it, subject to a balancing test.
• The exemption applies to the reference itself, not to the underlying data. If the reference contains factual information you also hold elsewhere (dates of employment, job title), that data is still in scope from other sources.

Exemption 5: Management Forecasting and Planning

The UK DPA 2018 provides an exemption for personal data processed for the purposes of management forecasting or management planning, where disclosure would prejudice those activities.

In practice, this might apply to:

• Planning documents about organizational restructuring that mention specific employees
• Succession planning that references individual employees
• Business development plans that involve staffing changes

The exemption only applies to the extent that disclosure would prejudice the planning activity. If the plans have already been implemented or announced, the exemption likely no longer applies.

This is a narrow exemption. Do not use it to withhold any management document that mentions an employee.

Exemption 6: Negotiations

Personal data consisting of a record of your intentions in negotiations with the requester may be exempt where disclosure would prejudice those negotiations.

For example: if you are in salary negotiations with an employee and your internal notes record the maximum amount you are prepared to offer, disclosing that would obviously prejudice the negotiation. The exemption protects this.

Once the negotiations are concluded, the exemption no longer applies.

Exemption 7: Crime Prevention and Detection

Under certain circumstances, you can withhold data if disclosure would prejudice:

• The prevention or detection of crime
• The apprehension or prosecution of offenders
• The assessment or collection of tax

This is most commonly relevant when:

• An employee is under investigation for fraud or misconduct, and disclosing the investigation data would tip them off and allow them to destroy evidence
• Law enforcement has requested that you not disclose certain information
• There is an active criminal investigation

The exemption only applies for as long as disclosure would prejudice the relevant purpose. Once the investigation is complete or the threat has passed, the data must be disclosed if requested.

Exemption 8: Regulatory Functions

Data processed for regulatory functions — including functions designed to protect the public against dishonesty, malpractice, or other conduct — may be exempt where disclosure would prejudice those functions.

This is primarily relevant to regulators and professional bodies, but it can apply to businesses in specific circumstances, such as when you are cooperating with a regulatory investigation and the regulator has asked you not to disclose certain information to the data subject.

Exemption 9: Health, Education, and Social Work Data

There are specific exemptions for data processed in the context of health, education, and social work, where disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another person.

For most small businesses, this is unlikely to apply. But if you hold any health data about employees (occupational health records, for instance), be aware that there are specific rules about when you can and cannot disclose it.

CCPA-Specific Limitations

The CCPA has its own set of limitations on the right to know (Cal. Civ. Code § 1798.145):

Specific Pieces of Information

Businesses are not required to disclose specific pieces of personal information if doing so would create a substantial, articulable, and unreasonable risk to the security of that personal information (Cal. Civ. Code § 1798.145), the consumer's account, or the security of the business's systems or networks.

Sensitive Personal Information

For certain categories of sensitive information (Social Security numbers, financial account numbers, health information), the CCPA allows businesses to provide the information in a less granular format to protect the consumer.

Household Data

If the request is for household-level data (as opposed to individual data), there are specific rules about when you must provide it and when you can refuse.

How to Apply Exemptions Properly

Step 1: Default to Disclosure

Start from the position that you will disclose everything. Only withhold data where a specific, identifiable exemption clearly applies.

Step 2: Apply Exemptions Narrowly

Exemptions apply to specific data, not to entire requests. If an exemption covers one document in a response that includes 50 documents, you withhold that one document and provide the other 49.

Step 3: Document Your Reasoning

For every piece of data you withhold, record:

• Which exemption you are relying on
• Why the exemption applies to this specific data
• What impact disclosure would have (where relevant)
• When you expect the exemption to cease to apply (if applicable)

Step 4: Tell the Requester

You must inform the requester that you have withheld some data and explain which exemption applies (to the extent you can without undermining the exemption). You must also tell them about their right to complain to the regulator.

Step 5: Get Advice When Uncertain

If you are not sure whether an exemption applies, get legal advice before relying on it. The cost of a quick legal consultation is much less than the cost of getting it wrong.

What Does NOT Count as an Exemption

Let's be clear about situations that businesses commonly — and incorrectly — cite as reasons not to respond:

• "The data is commercially sensitive" — unless legal professional privilege or another specific exemption applies, you cannot withhold data just because it is commercially inconvenient
• "It would take too long" — that is what deadline extensions are for, not exemptions
• "The person is going to use it to sue us" — that is their right, and it does not affect your obligation to disclose
• "We have a confidentiality agreement" — a private contract does not override statutory data protection rights
• "The data is in backups" — if it is reasonably accessible, it is in scope
• "We are a small business and cannot afford to respond" — the law applies equally regardless of business size
• "The request is annoying" — see "manifestly unfounded" above; annoyance is not a legal standard

For a full look at the consequences of improperly refusing or ignoring a DSAR, see what happens if you ignore a DSAR.

The Bottom Line

Exemptions are a safety valve, not an escape hatch. They exist to protect specific legitimate interests (legal privilege, third-party privacy, ongoing investigations) in specific circumstances. They do not exist to make DSARs optional.

For the vast majority of small business DSARs, no exemptions will apply at all, and you will respond with a full disclosure. When exemptions do apply, they typically cover a small portion of the data, and you still need to provide everything else.

References

• General Data Protection Regulation (GDPR): Article 23 — restrictions on data subject rights. GDPR full text | Article 12(5) — manifestly unfounded or excessive requests. GDPR Article 12
• California Consumer Privacy Act (CCPA): Cal. Civ. Code § 1798.145 — exemptions. Full text on the California Legislative Information site
• UK Data Protection Act 2018: Schedule 2 — exemptions from data subject rights. ICO UK GDPR guidance

Know Your Obligations Inside and Out

Our DSAR Compliance Guide covers exemptions, deadlines, and the full response process in a practical format designed for small businesses. If you want to understand exactly where you stand, this is the place to start.

Download the DSAR Compliance Guide