Can a Company Refuse a Subject Access Request in the UK?

If you run a small business in the UK, you’ll almost certainly handle personal data - whether that’s customers, website users, or your own team.

At some point, you may receive a subject access request (SAR). That’s when an individual asks for a copy of their personal data and related information you hold about them.

So, can a company refuse a subject access request? Sometimes - but only in narrow circumstances, and you need to handle refusals carefully to stay compliant with UK GDPR and the Data Protection Act 2018.

In this guide, we’ll walk you through when you can refuse (or limit) a SAR, what exemptions actually apply in the UK, and the practical steps to respond lawfully and efficiently as a small business.

What Is A Subject Access Request Under UK Law?

A subject access request (SAR) is a right under the UK GDPR (and the Data Protection Act 2018) for individuals to obtain:

• Confirmation that you process their personal data
• Access to that personal data (a copy)
• Supplementary information about your processing (for example, the purposes, categories of data, recipients, retention periods, and their rights)

In most cases, you must respond without undue delay and within one month. You can extend by up to two further months if the request is complex or you receive numerous requests from the same person - but you must inform the requester within the first month and explain why you’re extending.

Requests are usually free. You can charge a reasonable fee or refuse to act only if the request is “manifestly unfounded or excessive,” or for additional copies. You can also ask for reasonable ID if you doubt the requester’s identity - the time limit will run from when you have what you need to verify identity.

If you regularly receive SARs, it’s wise to set clear internal processes and have a compliant Privacy Policy that explains people’s rights in plain English. A documented process reduces stress when a request arrives and helps you meet deadlines.

Can A Company Refuse A Subject Access Request?

Yes - but only in limited circumstances and you need a lawful basis for refusing. Broadly, you can refuse to comply (or refuse parts of a request) if:

• The request is manifestly unfounded or excessive
• An exemption under the Data Protection Act 2018 applies (for example, legal professional privilege, confidential references, crime and taxation work, management forecasting, or certain IP/trade secret protections)
• Disclosing third-party personal data would infringe others’ rights and you cannot reasonably obtain consent or redact effectively

Even where an exemption applies, it’s best practice to consider partial disclosure (i.e. provide what you can after redaction), rather than a blanket refusal. If you refuse, you must tell the requester why, inform them of their right to complain to the ICO and to seek a judicial remedy, and keep a clear record of your decision-making.

As a controller, you are expected to act fairly and proportionately. The ICO will look at your reasoning, your policies, and how you balanced competing rights if your refusal is challenged.

Lawful Grounds To Refuse Or Limit Disclosure

Here are the main scenarios where you may lawfully refuse, limit, or charge a fee for a subject access request under UK law. Always apply these carefully, case by case.

Manifestly Unfounded Or Excessive

A request may be “manifestly unfounded” if the individual has no intention of exercising their rights (e.g. they demand money to withdraw the SAR) or uses it to harass, unreasonably target, or cause disruption. It may be “excessive” if it repeats previous requests without reasonable intervals or asks for a truly disproportionate scope.

Before refusing, try to narrow the scope. You can ask the requester to specify the information or systems they’re most interested in. In some cases where you process large volumes of data about the individual, you can also pause the timetable while you seek necessary clarification to locate the data. If you do refuse or charge a fee, document your reasons and how the request met the “manifestly unfounded or excessive” threshold.

If you’re building your process, having clear SAR templates for acknowledgements, clarification requests and responses will save time and ensure consistent wording.

Third-Party Personal Data

Access rights are personal - you don’t have to disclose someone else’s personal data. Often, emails or documents will include mixed data (the requester plus other staff, customers or suppliers). You must consider whether you can:

• Obtain the third party’s consent
• Redact names and identifiers effectively
• Provide a summary rather than the document itself

If disclosure would prejudice another person’s rights and freedoms, you can withhold or redact those parts. Keep a note of your redaction decisions in case of a complaint.

Legal Professional Privilege

Information protected by legal professional privilege is exempt. This includes confidential communications between you and your solicitors for the purpose of obtaining legal advice, and documents prepared for litigation. Many small businesses receive SARs during employment or commercial disputes - it’s common to have privileged advice or litigation strategy in the background. Privileged material should be identified and withheld, but you should still disclose other non-privileged personal data where appropriate.

Confidential References

There’s an exemption for confidential references you give for employment, training, or educational purposes. If your business provided a reference about someone in confidence, you don’t need to disclose that reference in response to their SAR. However, references you receive about the individual may be treated differently - assess carefully and consider third-party rights.

Management Information And Negotiations

In certain cases, you can withhold information where disclosure would prejudice business management forecasting or planning (for example, confidential restructuring plans) or ongoing negotiations with the requester (for example, salary negotiations), if disclosure would genuinely prejudice the negotiations. Apply this narrowly and document why disclosure would cause prejudice.

Crime, Taxation And Regulatory Functions

There are exemptions where disclosure would likely prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes. If you receive a SAR overlapping with an internal fraud investigation or a regulator’s inquiry, take specific advice before disclosing potentially sensitive material.

Trade Secrets And IP

You may restrict access where it would adversely affect trade secrets or intellectual property rights. This doesn’t allow you to refuse wholesale - it’s about protecting confidential algorithms, source code, or proprietary pricing models while still providing the requester with their personal data where possible (often via redaction or summaries).

Employee Records And Internal Emails

Employee SARs can be wide-ranging and often involve inbox searches, messaging tools, and HR files. You’re not required to give them everything ever written about them. Focus on “personal data” - any information that identifies them. That may include:

• HR records, performance notes, and absence history
• Emails about the individual where they’re the subject
• System logs relating to their use of IT systems (where identifiable)

Apply the exemptions above (third-party privacy, privilege, management planning) and consider reasonable searches. If a request is extremely broad, seek clarification to narrow date ranges, systems, or topics. For timing and workflow tips, many teams adopt a playbook aligned with the one-month limit - guides on SAR deadlines can help you plan resourcing and extensions properly.

How To Respond If You Intend To Refuse (Or Limit) A SAR

If you’re planning to refuse entirely or partially, follow a structured approach so you stay on the right side of the law and keep the ICO on your side if challenged.

1) Triage The Request And Verify Identity

Confirm who’s asking and what they want. If identity is unclear, ask for reasonable ID. If scope is extremely broad or unclear, request clarification. Where appropriate, explain the systems you hold data in and invite the individual to narrow the search.

2) Map Where Personal Data Lives

List systems to search: email, HR software, chat apps, CRM, file storage, and any third-party processors. If processors hold data on your behalf, your Data Processing Agreement should require them to assist with SARs.

3) Apply Exemptions Carefully

Review results for third-party data, privilege, management planning content, crime/taxation issues, and trade secrets. Decide whether redaction or summarising can preserve rights while enabling access. Keep an audit trail explaining each decision - it’s invaluable if the ICO asks questions.

4) Decide: Disclose, Partially Disclose, Charge Or Refuse

If the request is manifestly unfounded or excessive, decide whether to refuse or charge a reasonable fee. If exemptions apply, prepare a partial disclosure pack with redactions.

5) Respond Within One Month (Or Notify Extension)

Send your response within the one-month limit. If extending by up to two months for complexity or multiple requests, notify the individual within the first month, explaining why and when they can expect a full response.

6) If You Refuse (In Whole Or Part), Explain Clearly

Your refusal notice should:

• State whether you’re refusing in full or in part (and why)
• Identify the applicable exemption(s) or the “manifestly unfounded or excessive” basis
• Explain any fee you’re charging, and how it was calculated
• Inform the individual of their right to complain to the ICO and to seek a judicial remedy

Having consistent wording is helpful - many businesses adopt standardised wording within their SAR response process.

Practical Tips To Make SARs Easier For Small Businesses

SARs don’t need to derail your week. With a bit of preparation, you can make compliance faster and lower-risk.

• Create a clear SAR policy and playbook: Who triages? Who searches which systems? Who signs off? A simple flow makes the one-month timeframe achievable.
• Train your team: Frontline staff should recognise a SAR on sight (they can be verbal or sent via social media) and know how to escalate.
• Use standard acknowledgements and clarification emails: Keep response times tight with ready-to-send templates.
• Search smart: Focus on likely data locations and use time ranges, sender/recipient filters, and keyword lists to keep searches proportionate.
• Redact consistently: Use reliable redaction tools and have a second pair of eyes check. Accidental disclosures of others’ data can trigger complaints.
• Log decisions: Record why you applied exemptions and what you disclosed or withheld.
• Align contracts and privacy notices: Your Privacy Policy and supplier contracts should support SAR compliance, including processor assistance clauses.
• Plan for deadlines: Build in time for reviews and sign-off. A quick refresher on SAR deadlines helps you avoid last-minute scrambles.

If you’re setting up your privacy compliance from scratch, consider a bundled approach like a GDPR Package to get your core documents and processes in place quickly.

Common Scenarios: Employee SARs During Disputes

Many small businesses first encounter SARs in the middle of HR issues - grievances, disciplinaries, redundancy consultations, or after an exit. It’s a stressful time to deal with a broad data request, so plan for these patterns:

• Expect wide scopes: Employees may ask for “all emails mentioning me.” Ask for date ranges, custodians, and topics to narrow the search.
• Watch for privilege: Communications with your solicitors about the dispute are likely privileged and can be withheld.
• Protect third parties: Redact other employees’ personal data where disclosure would infringe their privacy.
• Management planning: Documents reflecting confidential planning about restructures can be exempt if disclosure would prejudice your business planning.
• Stick to personal data: Not every opinion or internal process note is personal data. Focus on data that identifies the requester.

It can be overwhelming to balance rights and manage timeframes when tensions are high. If this sounds familiar, having a pre-agreed SAR playbook and internal comms guidance will make a huge difference to speed and accuracy.

Risks If You Refuse Unlawfully (Or Miss Deadlines)

Refusing without good grounds or missing the response deadline can lead to complaints to the ICO, enforcement action, and potential legal claims. Even if the ICO doesn’t fine you, an investigation consumes time and may require changes to your processes.

Top risks to watch:

• Missing the one-month deadline without notifying an extension
• Refusing without explaining the lawful basis or exemptions
• Failing to consider partial disclosure or redaction
• Disclosing third-party data or privileged material by mistake
• Charging a fee without meeting the “manifestly unfounded or excessive” threshold

Good governance goes a long way. If you’ve set your processes, documented decisions, and trained staff, you’ll be in a strong position if the ICO ever asks questions.

Essential Documents And Processes To Support SAR Compliance

To make SARs smoother and reduce the chance of disputes, most small businesses should have:

• Privacy notices that clearly explain rights and your contact route for SARs (for example, your public-facing Privacy Policy)
• Internal SAR policy and response templates (acknowledgements, clarifications, refusal wording)
• Processor contracts that require timely assistance with SARs (your Data Processing Agreement)
• Guidance on exemptions your team can apply - a quick-reference guide to common SAR exemptions helps reviewers
• A documented timetable aligned with the one-month limit and when an extension is justified - see our overview of SAR deadlines
• A light-touch compliance framework for data protection overall - many teams bundle this into a practical GDPR Package so they’re protected from day one

Key Takeaways

• Can a company refuse a subject access request? Yes - but only in limited situations, such as manifestly unfounded or excessive requests, or where a specific UK exemption applies. Consider partial disclosure before refusing outright.
• Apply exemptions narrowly and document your reasons. Common exemptions include legal professional privilege, confidential references, management forecasting, ongoing negotiations, crime/taxation, and protection of third-party data and trade secrets.
• Keep to the one-month deadline, or notify an extension for complex cases within that first month. Use clear processes, consistent wording and robust redaction to stay compliant.
• Always inform the requester if you refuse (in whole or in part), explain why, reference their right to complain to the ICO and to seek a judicial remedy, and retain an audit trail.
• Prepare now: a clear SAR policy, response templates, processor assistance via a Data Processing Agreement, and a public-facing Privacy Policy will make compliance faster and lower-risk.
• If you regularly receive SARs (for example, in HR disputes), build a repeatable workflow and keep quick references to exemptions and deadlines close to hand.

If you’d like tailored help setting up a SAR policy, applying exemptions, or handling a tricky request, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.