When Can You Refuse a Data Subject Request?
You can refuse to act on a GDPR request if itβs manifestly unfounded or excessive.
This includes:
- Repeated requests with no new data
- Requests made to disrupt or harass
- Vague or impossible demands
If you refuse, you must:
- Explain the decision clearly
- Inform the person of their right to complain to the ICO
- Do so within 1 month
π‘ Tip:
Keep a clear record of all refused requests and your justification β the ICO may ask for evidence.
