|

When Can You Refuse a Data Subject Request?

You can refuse to act on a GDPR request if it’s manifestly unfounded or excessive.

This includes:

  • Repeated requests with no new data
  • Requests made to disrupt or harass
  • Vague or impossible demands

If you refuse, you must:

  • Explain the decision clearly
  • Inform the person of their right to complain to the ICO
  • Do so within 1 month

πŸ’‘ Tip:

Keep a clear record of all refused requests and your justification β€” the ICO may ask for evidence.

Similar Posts