Vexatious and Excessive DSARs: When You Can Legally Refuse a Request

Not Every DSAR Must Be Fulfilled — But Most Must

The right of access is one of the strongest rights in data protection law. Under the GDPR, the UK GDPR, and most other privacy frameworks, when someone asks for their personal data, the default answer is yes. But the law does recognize that some requests cross a line.

Article 12(5) of the GDPR (and the equivalent provision in the UK GDPR) allows organizations to either charge a reasonable fee or refuse to act on requests that are manifestly unfounded or manifestly excessive. This is the legal basis for dealing with what are sometimes called "vexatious" DSARs, although that exact term does not appear in the GDPR itself.

The critical word in both cases is "manifestly." The request must be clearly and obviously unfounded or excessive — not merely inconvenient, difficult, or annoying. This is a high threshold, and it is intentionally so. The right of access is fundamental, and the exception is narrow.

What "Manifestly Unfounded" Actually Means

A manifestly unfounded request is one where the individual has no real intention of exercising their right of access. They are not genuinely trying to obtain their personal data — they are using the DSAR process for a different purpose entirely.

What the ICO Says

The ICO has provided guidance that a request may be manifestly unfounded where:

• The individual has explicitly stated that they intend to cause disruption
• There is clear evidence that the request is being made as part of a campaign of harassment
• The individual has previously confirmed they do not actually want the data
• The request is malicious in intent and the individual makes that clear

The ICO emphasizes that you must consider each request on its own merits. You cannot automatically classify a request as unfounded based on your history with the requester or your opinion of their motives.

What It Does Not Mean

The following situations do not make a request manifestly unfounded:

• The person is in a dispute with you. People frequently exercise their data rights during disputes — employment disputes, consumer complaints, contract disagreements. This is a legitimate use of the right, even if it is tactically motivated.
• The person might use the data in litigation. There is nothing wrong with an individual obtaining their personal data and then using it as evidence in a legal claim. In fact, this is one of the most common reasons people make subject access requests.
• The person is a difficult customer. Being difficult does not forfeit your data protection rights.
• You believe the request is motivated by spite. Unless the person has explicitly told you they are making the request to cause you problems rather than to obtain their data, you are speculating about their motives. Speculation is not enough.
• The request will be expensive to fulfill. Cost to you is not a factor in determining whether a request is manifestly unfounded. It may be relevant to whether a request is manifestly excessive, but that is a different test.

What "Manifestly Excessive" Actually Means

A manifestly excessive request is one that is clearly and obviously disproportionate. Article 12(5) states that you should consider whether the request is repetitive in nature when assessing whether it is excessive.

The Repetition Factor

The most clear-cut case of an excessive request is one that is substantially identical to a recent request you have already fulfilled, and the data has not changed since your last response. If someone submits the same request every week for the same data, the fourth or fifth iteration may qualify as excessive.

But even here, context matters. If the person has reason to believe new data has been collected since their last request, the new request is not excessive — it is a different request for different data.

Volume Alone Is Not Excessive

A common mistake is to treat a large or complex request as excessive simply because it will require significant effort. A request covering years of data across multiple systems is not excessive — it is thorough. The GDPR gives individuals the right to all their personal data, and that right does not shrink based on how much data you hold.

The ICO has been clear on this point: the burden of the request is a factor, but it is not the only factor, and it is not determinative. A large request from someone who has never made a request before is almost certainly not excessive.

Overlapping Requests

If a person makes multiple requests that substantially overlap — for example, requesting data from the same period and the same systems, but phrased slightly differently each time — this pattern may support a finding of excessive, particularly if you have already provided the data once. But you should first check whether the new request actually covers additional data that has been collected since the last response.

Real Tribunal and ICO Examples

Understanding how these tests have been applied in practice helps clarify where the line falls.

Dismissed Claims of Excessive

In several First-tier Tribunal decisions, organizations claimed that requests were excessive and were overruled. Common patterns include:

• Employers claiming employee DSARs were excessive during grievance proceedings. Tribunals have consistently held that employees making DSARs during workplace disputes are exercising a legitimate right, regardless of the employer's perception of their motives.
• Organizations claiming a request was excessive because it would require reviewing a large volume of emails. The tribunal held that the volume of data held by the organization was its own responsibility, not a basis for refusing the request.
• A council claiming repeat requests were excessive when the requests covered different time periods. The tribunal held that requests for data from different periods are distinct requests, not repetitions of the same request.

Successful Claims of Manifestly Unfounded

Successful claims are rarer, but they exist:

• A requester who explicitly told the organization in writing that they were making the request "to cause maximum inconvenience" and had no interest in the actual data was found to be manifestly unfounded.
• A pattern of hundreds of identical requests from the same person over a short period, where the person refused to engage with responses and immediately submitted new requests, was treated as excessive.

The common thread in successful cases is clear, documented evidence of the requester's intent or behavior that goes beyond legitimate data protection purposes.

Your Options When a Request Qualifies

If you genuinely believe a request is manifestly unfounded or excessive, you have two options under Article 12(5):

Option 1: Charge a Reasonable Fee

You can comply with the request but charge a fee based on the administrative costs of doing so. The fee must be reasonable and proportionate to the work involved. See our guide on DSAR fees and costs for details on calculating a reasonable fee.

Option 2: Refuse to Act

You can refuse to act on the request entirely. This is the stronger option and carries higher risk if your assessment is wrong.

Requirements for Both Options

Whichever option you choose, you must:

1. Inform the requester of your decision within the standard response deadline (one calendar month under GDPR)
2. Explain your reasons — state specifically why you consider the request manifestly unfounded or excessive
3. Inform them of their right to complain to the relevant supervisory authority (the ICO in the UK)
4. Inform them of their right to a judicial remedy — they can challenge your decision in court

You must also document your reasoning internally in case the decision is challenged.

How to Document a Refusal

Documentation is your defense. If the requester complains to the ICO or takes you to court, your documentation is what will support (or undermine) your decision.

What to Document

• The request — a full copy of the request, including the date received and how it was submitted
• Previous requests — if you are claiming excessive, document every previous request from this person, the dates, what data was provided, and the current request's overlap with them
• Evidence of intent — if you are claiming unfounded, document any evidence of the requester's stated intent (emails, letters, social media posts, verbal statements recorded at the time)
• Your analysis — a written assessment of why the request meets the threshold, referencing the specific criteria in Article 12(5) and any relevant ICO guidance
• Decision-making — who made the decision, their role, and the date
• Alternatives considered — did you consider charging a fee instead of refusing? Did you consider partial compliance? Document that you considered less restrictive alternatives
• Communication — copies of all correspondence with the requester about the decision

Who Should Make the Decision

The decision to refuse a DSAR should not be made casually. It should be made by someone with appropriate authority and understanding of data protection law — ideally your Data Protection Officer if you have one, or a senior manager with legal advice. Do not delegate this decision to front-line staff.

The Risks of Wrongly Refusing

Getting this wrong is costly. Here is what you face if you refuse a request and the ICO or a court disagrees with your assessment:

Regulatory Action

The ICO can:

• Order you to comply with the original request
• Issue a reprimand
• Impose a fine — GDPR fines for infringements of data subject rights can reach up to 20 million euros or 4% of global annual turnover (whichever is higher) under Article 83(5), though fines for individual DSAR failures are typically much lower
• Require you to change your processes

Compensation Claims

The requester can bring a claim for compensation under Article 82 of the GDPR (or Section 168 of the UK Data Protection Act 2018) for material and non-material damage caused by your failure to comply with their request. Courts have awarded compensation for distress caused by wrongful refusal, even where no financial loss occurred.

Reputational Damage

If the requester is a current or former employee, a customer, or someone with a public platform, a wrongful refusal can generate negative publicity. ICO enforcement notices are published on their website.

The Asymmetry

Here is the practical reality: the cost of complying with a difficult DSAR is bounded — it is staff time, and it has a ceiling. The cost of wrongly refusing a DSAR is unbounded — it can include fines, legal fees, compensation, and reputational harm. In most cases, complying is the less expensive option, even when the request feels unreasonable.

A Practical Decision Framework

Before concluding that a request is manifestly unfounded or excessive, work through these questions:

1. Has the person explicitly stated that they have no genuine interest in their data? If not, you probably cannot claim the request is manifestly unfounded.
2. Is this a repeat of a substantially identical request where the data has not changed? If not, you probably cannot claim it is manifestly excessive.
3. Can you clearly and specifically articulate why the request crosses the threshold? If your reasoning amounts to "this is annoying" or "this is a lot of work," it does not meet the threshold.
4. Would you be comfortable presenting your reasoning to the ICO? If not, do not refuse.
5. Have you obtained legal advice? For any request you are seriously considering refusing, legal advice is a worthwhile investment.

If the answer to any of the first three questions is no, comply with the request. The threshold is "manifestly" — clearly and obviously — and if you are uncertain, the request almost certainly does not meet it.

References

• General Data Protection Regulation (GDPR): Article 12(5) — manifestly unfounded or excessive requests. GDPR Article 12
• GDPR: Article 83(5) — maximum fines for infringement of data subject rights. GDPR Article 83
• GDPR: Article 82 — right to compensation. GDPR Article 82
• ICO guidance: Manifestly unfounded and excessive requests. ICO right of access guidance
• UK Data Protection Act 2018: Section 168 — compensation for contravention. DPA 2018

Related Guides

• Can You Charge for a DSAR? — fees and costs explained
• DSAR Exemptions — all the circumstances where you can limit your response
• What Happens If You Ignore a DSAR — consequences of non-compliance