Version Last Updated: October 2019
4
Where an individual makes a verbal access request, they may want or be satisfied with a
verbal response to their access request, depending on the nature of the request. Controllers
should consider keeping a record of the verbal response issued, as well as what they
understood the request to be. If a request asks that the response be made in writing,
controllers should provide the response in writing to the address provided.
Can controllers charge a fee for responding to an access request?
In most cases individuals cannot be required to pay a fee to make a subject access request.
Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request
is ‘manifestly unfounded or excessive’ (which the controller must prove), can a controller
charge a ‘reasonable fee’ for the administrative costs of complying with the request.
Controllers are also allowed to charge a reasonable fee, based on administrative costs, where
an individual requests additional copies of their personal data undergoing processing.
Are there any other limitations on the right of access?
Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly
unfounded or excessive’, a controller may also, where appropriate, refuse to act on the
request. This is, however, a high threshold to meet, and the controller must be able to prove
that the request was manifestly unfounded or excessive, in particular taking into account
whether the request is repetitive. There should be very few cases where a controller can
justify a refusal of a request on this basis.
There is a general limitation on the exercise of the right of access under Article 15(4) GDPR,
which states that the right to obtain a copy of the personal data undergoing processing should
not negatively impact (‘adversely affect’) the rights and freedoms of others, such as privacy,
trade secrets, or intellectual property rights. However, where a controller does have concerns
about the impact of complying with a request, their response should not simply be a refusal
to provide all information to the individual, but to endeavour to comply with the request
insofar as possible whilst ensuring adequate protection for the rights and freedoms of others.
Whilst the right of access to personal data is a fundamental data protection right it is not
an absolute one, and is subject to a number of limited exceptions. Article 23 GDPR allows
for data subject rights to be restricted in certain circumstances. Any such restrictions must be
set out in a ‘legislative measure’, respect the essence of the fundamental rights and
freedoms, be necessary and proportionate in a democratic society, and safeguard an
interest of public importance. The Data Protection Act 2018 contains certain provisions
dealing with the restrictions of rights of data subjects, including sections 59, 60, and 61 in
particular, which give further effect to the provisions of Article 23 GDPR.
Accordingly, if a controller considers that it is justified in withholding certain information in
response to an access request it must identify an exemption under the GDPR or the 2018
Act, provide an explanation as to why it applies, and demonstrate that reliance on the
exemption is necessary and proportionate.