SAR Exemptions: When You May Refuse a Data Request

If you’re running a business in the UK, chances are you’ve heard about subject access requests (SARs) – or maybe you’ve already received one from a customer, employee or even a supplier. With data privacy being such a hot topic, individuals are more aware than ever of their rights under the UK GDPR. But what happens if someone makes a request that just isn’t reasonable, or could put your business or someone else’s rights at risk?

Understanding when – and how – you can refuse a SAR is crucial. There are legitimate exemptions (sometimes called “SAR exemptions”) built into the law to protect both your business and others affected by personal data. But navigating these rules can be tricky, and handling a request incorrectly could mean a headache with the Information Commissioner’s Office (ICO).

In this guide, we’ll break down:

• What a subject access request really is (and why they matter for your business)
• The key legal grounds for refusing a SAR, including unfounded, excessive and statutory exemptions
• Your obligations when you refuse a request – and how to do so compliantly
• Practical steps and tips for busy businesses, plus examples of thorny SAR scenarios

Let’s demystify SAR exemptions, so you can avoid costly pitfalls and stay protected from day one.

What Is A Subject Access Request (SAR)?

A subject access request (SAR) is a written (or sometimes verbal) request from an individual asking you to confirm whether you hold personal data about them – and if so, to provide a copy and certain details about how it’s used.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals have a legal “right of access” to their own personal data. That means they can request information, such as:

• What personal data you hold about them
• How and why you process that data
• Who you share it with, and for how long you retain it
• Details about any automated decisions or profiling

For businesses, responding to SARs is a legal obligation. If you get one, you usually have to respond within one month. Fail to do so properly, and the ICO could hold your business in breach of the GDPR – which potentially means fines, reputational damage, or court action.

If you need help understanding your compliance duties, our quick tips for GDPR compliance guide is a great place to start.

When Can You Refuse A SAR? Understanding Your Legal Options

While businesses usually must respond to SARs, there are some circumstances where you can lawfully refuse – either entirely or in part. These are known as SAR exemptions.

Let’s cover the main grounds for refusal.

1. If The Request Is Manifestly Unfounded

A SAR is considered “manifestly unfounded” if:

• The individual has no intention of exercising their access rights (for example, they’re using the request to harass or disrupt your business or a staff member)
• The request is malicious, abusive, or made solely to cause trouble
• It’s clear from the request’s wording or history that it isn’t genuine

For example, a former employee submits several SARs a week, threatening to “bring down” your company unless you pay compensation. Here, the SAR is likely to be seen as manifestly unfounded.

It’s important to remember that refusing a SAR on this ground requires strong evidence. The ICO will expect you to show why you believed the request was unfounded, so good documentation is essential.

2. If The Request Is Manifestly Excessive

A SAR is “manifestly excessive” when complying would:

• Create an unreasonable burden on your business (for instance, if the individual repeats the same request frequently without new grounds)
• Request data far beyond what is reasonable or relevant
• Overlap heavily with recent requests where nothing has changed

However, large requests are not automatically excessive – if someone genuinely needs extensive data, it’s your job to provide it unless there’s a clear and specific reason you can’t.

If a SAR seems overwhelming but not truly excessive, it’s best practice to engage with the requester. You might ask them to narrow down their request to the particular period, category, or issue that concerns them.

For a closer look at what constitutes an “excessive” request under UK GDPR, see the data protection guide for UK businesses.

3. If A Specific Legal Exemption Applies

Certain categories of information are protected under the UK GDPR and Data Protection Act 2018, meaning you may be required (or permitted) to withhold that information in response to a SAR. Common legal exemptions include:

• Legal professional privilege: If the data includes communications covered by solicitor-client privilege
• Crime and taxation: For data processed to prevent, detect, or prosecute crime, or for tax assessments (where disclosure would prejudice these activities)
• National security: If complying would harm national security interests
• Third-party rights: Where releasing data would unreasonably reveal personal data about someone else, or infringe their rights
• Management information: Data that relates to management forecasting, business planning, or negotiations (if disclosure could prejudice the business)

It’s worth noting, not all business data is automatically exempt. Every SAR must be carefully considered, and information should only be withheld to the extent necessary to protect legal interests or third-party rights. You may need to redact certain parts of the data, rather than refuse the request outright.

If you regularly handle sensitive information, you might also benefit from reviewing your Privacy Policy and internal procedures to make sure they offer a robust framework for SAR responses.

What Should You Do If You Decide To Refuse A SAR?

If a SAR exemption applies and you decide to refuse some or all of a request, you’re not finished yet! The UK GDPR sets clear requirements to make sure individuals are treated fairly and transparently.

Here’s what you must do if you refuse a request:

• Respond in writing (unless the request was made verbally and you discuss it in person – but written follow-up is always safest)
• Clearly explain your reasons for refusing all or part of the request, referencing the relevant exemption
• Notify the individual of their right to complain to the ICO or pursue legal action
• Document everything – keep a full record of the request, your review process, the exemption relied on, and your response

Remember: refusing a SAR is a significant step. If you don’t handle it properly, the requester could challenge your decision and trigger an ICO investigation or legal proceedings.

If you’re unsure, it’s wise to seek legal advice – especially if you are considering relying on one of the more complex statutory exemptions.

Best Practice Tips For Handling Subject Access Requests

Getting SARs right can be stressful, especially for smaller businesses that don’t have a dedicated data protection officer. Here are some practical steps to help you build robust compliance:

• Assess each SAR on its individual merits. Avoid blanket policies or automatic refusals. Even if a previous request was unfounded, the next one may not be.
• Engage with the requester. If a request is vague, ambiguous, or broad, ask them to clarify. This helps narrow the scope and reduces your workload.
• Document everything. Keep full records of the request, your review process, communications, and any evidence supporting refusal. This is vital should you ever need to defend your decision to the ICO or a court.
• React promptly. Even if you’re refusing the request, you still have to reply within one month (unless you have grounds to extend for complex cases).
• Protect third-party data. If other people’s personal data is included in the requested information, consider redacting those sections – but don’t just refuse automatically; assess whether disclosure is justified.
• Be consistent with your Privacy Policy. Make sure your external statements about data rights match how you handle requests internally.

For even more best practice tips, check out our guides for protecting customer information and using data privacy consent forms.

Common SAR Exemption Scenarios: What Should You Watch Out For?

Let’s look at a few real-world examples that UK businesses regularly face when it comes to SAR exemptions:

• Repeated requests from a disgruntled former employee: If the ex-employee makes multiple SARs in close succession, asking for the same data and nothing substantive has changed, you may be able to refuse further requests as “excessive”. But you’ll need clear evidence that the pattern is abusive or wasteful, not just inconvenient.
• Overlapping data about multiple people: For instance, an employee requests their emails, but these contain information about clients or other staff. You’ll need to consider redaction, or withhold certain information to protect third-party rights – but always justify and record your reasoning. Blanket refusals are rarely allowed.
• Requests aimed to disrupt business operations: Sometimes, SARs are used as leverage in a dispute (such as a commercial disagreement or an ongoing employment tribunal case). If you can show the request is manifestly unfounded or excessive, you may be able to refuse, but take care – the threshold for refusal is high, and will be scrutinised.
• Requests covering legal advice or litigation: Data protected by legal privilege (such as advice from your solicitor on an ongoing case) is generally exempt from disclosure in response to a SAR. Document any parts you withhold, and tell the individual why.
• Large or vague requests: If someone demands “all the data you hold on me ever,” this could be overwhelming. However, unless it’s truly excessive or abusive, you should request clarification and assist the individual to refine their request, rather than refuse outright.

If your business is dealing with repeated or tricky requests, consider reviewing our advice on unfair contract terms or drafting an effective complaints policy to help reduce legal headaches.

How To Prepare Your Business For SARs And Exemptions

If you want to stay protected and avoid slipping up with a SAR exemption, here’s how to do it the right way:

• Train your team: Everyone who handles data should know the basics of handling SARs and spotting when a request might be unfounded or excessive.
• Set up clear internal policies: Document the steps for logging, assessing, responding to, and (if needed) refusing SARs, including how to evidence each decision.
• Review your data mapping: Know where personal data is stored, who has access, and how long you retain it – this speeds up SAR review and helps identify exempt material.
• Get legal documents in order: Whether you need a GDPR-compliant Privacy Policy, data breach response plan or acceptable use policy, having these in place signals to staff and customers that you take privacy seriously.
• Seek legal advice when in doubt: Complex, high-risk or repeat SARs can quickly spiral. Getting a data privacy lawyer to review your approach can save you a lot of stress (and money) in the long run.

Key Takeaways

• A Subject Access Request (SAR) allows individuals to access the personal data you hold about them, and you’re usually obliged to respond within one month.
• You can refuse a SAR if it is manifestly unfounded (abusive, harassing, or malicious), manifestly excessive (repetitive, overly broad), or covered by a specific legal exemption such as legal privilege or crime prevention.
• Every refusal must be justified, properly documented, and communicated transparently to the requester – including advice on their right to complain to the ICO.
• Blanket refusals are not allowed – take a case-by-case approach, especially when third-party data is involved.
• Get your Privacy Policy and internal procedures in order, and clearly train your team in SAR handling – prevention is always better than reaction.
• When in doubt, seek tailored legal advice before refusing a SAR – mistakes can lead to fines, ICO scrutiny, or damage to your business reputation.

If you need help crafting SAR response procedures, applying exemptions, or reviewing your Privacy Policy, we’re here to make it easy and risk-free. Reach out on team@sprintlaw.co.uk or give us a call at 08081347754 for a free, no-obligations chat.