Can You Charge For A Subject Access Request In The UK?

If you handle personal data, subject access requests (SARs) will cross your desk sooner or later. They can be time-consuming, disruptive and sometimes tricky to manage.

So, can you charge for a subject access request in the UK? Usually no - but there are important exceptions where a reasonable fee is allowed. Get those calls right and you’ll save time, reduce risk and stay compliant.

In this guide, we explain when you can charge, how to calculate a “reasonable” fee, and practical steps to streamline your SAR process under UK GDPR and the Data Protection Act 2018.

What Is A Subject Access Request (SAR)?

A SAR is a request from an individual to access their personal data that your business holds. Under UK GDPR, you normally have to respond without undue delay and within one month of receipt.

In most cases, you must provide:

• Confirmation you process their personal data
• Access to a copy of that personal data
• Supplementary information (for example, purposes of processing, categories of data, recipients, storage periods, and rights)

It’s best practice to have a clear process, including a standard Subject Access Request template, so your team knows exactly what to do the moment a request lands.

Can You Charge A Fee For A Subject Access Request?

By default, SARs must be handled free of charge. However, UK GDPR allows you to charge a reasonable fee in two specific situations:

• The request is manifestly unfounded or excessive; or
• The individual requests further copies of their data (beyond the first copy)

If neither condition applies, you cannot charge. Even when one does apply, you may choose to charge a fee or refuse to act - but you need strong justification either way and you must explain your decision to the requester.

Remember, the one-month time limit still applies. You can extend by up to two additional months if the request is complex, but you should tell the requester within the first month and explain why. It helps to track your timetable carefully - this is where clear internal guidance on SAR deadlines becomes essential.

When Is A Request “Manifestly Unfounded” Or “Excessive”?

These are narrow exceptions. Don’t assume a request is unfounded or excessive just because compiling the data feels burdensome. You need objective reasons backed by evidence.

Manifestly Unfounded

Examples may include where the individual:

• Clearly has no genuine intention to exercise their access rights (e.g. they say they’ll withdraw the request if you pay them)
• Uses the request purely to harass, disrupt or cause unnecessary work, especially where there is a pattern of such behaviour

You’ll need to document why you reached that conclusion. Focus on behaviour and context, not the individual’s tone or the inconvenience to your business.

Excessive

A request could be excessive if it:

• Repeats the substance of a previous request to which you already responded, and there’s no reasonable interval or change in circumstances
• Asks for an unreasonably broad and unfiltered set of data when narrower alternatives are available and offered

Before labelling a request “excessive”, try to clarify scope with the requester. Proactively helping them narrow the search will often avoid disputes.

Some requests are exempt in full or in part (for example, legal privilege, management forecasting, crime prevention, references you’ve given). If an exemption applies, you typically don’t need to charge - you can refuse to provide the exempt information. Always assess exemptions first, then consider fees as a fallback. A quick refresher on common SAR exemptions can save you time.

What Counts As A “Reasonable Fee” And How Do You Calculate It?

If a request is manifestly unfounded or excessive, or the person wants further copies, you may charge a “reasonable fee” to cover administrative costs. The ICO expects your fee to be proportionate and justifiable.

Permissible Cost Elements

Reasonable administrative costs usually include:

• Staff time spent locating, reviewing, and extracting the data
• Technical costs of running searches and restoring archived material
• Redaction time (to protect third-party data or confidential information)
• Photocopying, printing, postage or secure electronic transfer costs
• Costs of providing additional copies (beyond the first copy)

Costs should reflect actual time on the SAR, not general overhead. Be cautious with rates you apply to staff time - use a sensible internal hourly rate and be prepared to show your workings if challenged.

Example Calculation

Imagine a repeated, wide-ranging SAR that you have already answered three months ago. Your team spends 2.5 hours re-running searches (at £40/hour), 1.5 hours reviewing and redacting (at £45/hour), and £12 on secure file transfer. A reasonable fee might be:

• Searches: 2.5h x £40 = £100
• Review/redaction: 1.5h x £45 = £67.50
• Transfer: £12
• Total fee: £179.50 (rounded appropriately)

Provide a clear fee breakdown and explain that work will resume once the fee is paid. The one-month clock can be paused until you receive the fee, but only where charging is genuinely permitted.

How To Decide Whether To Charge Or Refuse: A Step-By-Step Approach

Charging should be a last resort, not your first move. A consistent, fair process helps you reach the right decision and demonstrate compliance.

1) Verify Identity And Clarify Scope

Promptly ask for ID if needed, and invite the requester to narrow broad terms (e.g. date range, systems, keywords). Document all communications. A simple web-based access request form can streamline intake and help set expectations from the start.

2) Check For Exemptions

Assess whether all or parts of the data are exempt. Apply redactions where necessary and keep a record explaining the exemption relied on (e.g. legal privilege, third-party data). Refer to your internal playbook and, if in doubt, seek advice early.

3) Decide: Free, Fee, Or Refuse

• Free of charge: the default - proceed within one month.
• Reasonable fee: if manifestly unfounded/excessive or further copies are requested - write to the individual with your fee breakdown and pause until paid.
• Refusal: if manifestly unfounded or excessive - write to the individual explaining your decision and their right to complain to the ICO.

4) Track Your Timetable

Set a diary for the one-month deadline and consider whether a two-month extension applies for complexity. Keep a clean audit trail of dates, requests for clarification, pauses while awaiting ID or fees, and any extensions. If timeframes are a pain point, share your internal guide on SAR deadlines with staff who handle requests.

5) Communicate Clearly

Use consistent wording for acknowledgements, fee notices and final responses. Explain what you can provide, what’s exempt, and why. Where appropriate, offer to narrow the scope to speed things up.

Common SAR Pitfalls (And How To Avoid Them)

Even well-run teams stumble on the same issues. Here’s how to steer clear.

• Charging as a default: Charging is the exception. Start from “free of charge” and document why you moved away from it.
• Overstating “excessive”: A broad request isn’t automatically excessive. Try to narrow first - refusals need strong evidence.
• Vague fee calculations: Keep itemised time records and out-of-pocket costs so your fee looks (and is) reasonable.
• Missing deadlines: The one-month clock moves fast. Build reminders, triage early, and train staff to spot SARs anywhere (inbox, social media DMs, live chat, store counter).
• Forgetting third-party data: Redact carefully and explain why you can’t disclose others’ personal data without consent.
• Relying on templates alone: Templates help, but edge cases need judgement. Train your team and have an escalation route to a senior decision-maker.

What To Include In Your SAR Toolkit

A few well-chosen documents and policies make SARs smoother, faster and less risky.

• Public-facing Privacy Policy explaining access rights, how to make a request, and how you verify identity
• Internal SAR playbook with screening questions, decision trees and template acknowledgements
• Intake channel (for example, a simple access request form) that directs requests to the right team
• Data maps and retention schedules so you know where data lives and how long you keep it
• Processor contracts that ensure third parties help you meet deadlines - a robust Data Processing Agreement is key
• Clear rules for sharing data externally - a tailored Data Sharing Agreement keeps everyone on the same page
• Incident response: if a request reveals a security gap, your Data Breach Response Plan should kick in

Finally, make sure your team knows when and how they can refuse or charge. Keep a one-page crib sheet listing the narrow circumstances and the evidence you’ll need to rely on them. For nuanced scenarios, point staff to a short explainer on SAR exemptions so they can spot issues early.

Practical FAQs For Business Owners

Do We Have To Accept A SAR Sent By Social Media Or A Sales Inbox?

Yes. A SAR can be made through any channel. Train frontline staff to recognise requests and forward them to your privacy lead immediately.

Can We Ask The Requester To Pay A Fee Before We Decide If It’s Unfounded Or Excessive?

No. Assess the request first. Only if it is manifestly unfounded or excessive (or if they ask for further copies) should you calculate and request a fee - with an itemised breakdown.

Can We Refuse To Search Backups Or Archives?

Not automatically. You need to take reasonable steps to find data. If data in disaster recovery backups cannot be readily restored without disproportionate effort, note your reasoning and focus on live systems and accessible archives first.

What If The Request Includes Emails With Third Parties?

You still need to search and review. Redact third-party personal data where disclosure would be unfair or unlawful, and explain that you’ve done so.

Can We Pause The Clock While We Wait For ID Or Clarification?

Yes, if you need reasonable ID or clarification, the clock can pause until received. Keep dated records of your requests and follow-ups so you can justify the pause if needed.

A Sensible, Compliant SAR Workflow

To keep SARs under control, build a lean, repeatable workflow:

1. Log the SAR on day one, acknowledge receipt, and request ID/clarification if needed.
2. Map systems, run targeted searches, and triage early for redaction and exemptions.
3. Decide on free/fee/refuse. If charging or refusing, provide reasons and next steps (including ICO complaint rights).
4. Compile and check the data bundle. Use secure transfer methods and keep audit trails.
5. Close the request with a plain-English cover letter setting out what you’ve provided, anything withheld, and why.
6. Capture lessons learned to continually refine your playbook and templates.

If you’re building your process from scratch, start with a short policy, a tracker, and a few core templates (acknowledgement, clarification, fee notice, response, refusal). As your team grows, round out your internal guidance and link it to your wider privacy compliance program.

When To Get Expert Help

Some SARs are straightforward. Others involve multiple systems, third-party processors, sensitive data and legal privilege questions. It’s normal to feel unsure - especially when deciding whether a request is “manifestly unfounded or excessive.”

If the stakes are higher (for example, regulatory scrutiny, employee disputes or litigation risks), it’s wise to get tailored advice. A quick review of your draft response, exemptions analysis and fee calculation can prevent complaints and reduce the risk of ICO intervention. Investing a little time upfront often saves hours later.

Key Takeaways

• Default position: you cannot charge for a subject access request - only charge a reasonable fee if it’s manifestly unfounded or excessive, or for additional copies.
• Be able to evidence your decision: keep a clear paper trail showing why a request was unfounded or excessive, and itemise any fee you charge.
• Get the basics right: verify identity, clarify scope early, and stay on top of the one-month deadline (with extensions for complex cases where justified).
• Use the right tools: a public-facing Privacy Policy, internal templates, and strong processor terms like a Data Processing Agreement will make SARs quicker and safer.
• Know your options: consider exemptions first, then decide whether to proceed free of charge, charge a fee, or refuse - and communicate clearly in plain English.
• Train and iterate: build a simple workflow, track deadlines, and continually refine your Subject Access Request template and process as you learn.

If you’d like help assessing a tricky SAR, setting a fee policy, or building compliant templates and agreements, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.