Data Subject Rights | Subject Access Request (DSAR)

When Can You Refuse a Data Subject Request?

ByPrivacyiQ 9 July 20256 July 2025

Under GDPR, companies can refuse rights requests that are manifestly unfounded or excessive. Learn when and how to lawfully say no.

You can refuse to act on a GDPR request if it’s manifestly unfounded or excessive.

This includes:

Repeated requests with no new data
Requests made to disrupt or harass
Vague or impossible demands

If you refuse, you must:

Explain the decision clearly
Inform the person of their right to complain to the ICO
Do so within 1 month

💡 Tip:

Keep a clear record of all refused requests and your justification — the ICO may ask for evidence.

Automated Decision Making | Data Subject Rights

4 of 5: When Can You Use Automated Decision-Making? Legal Bases and Safeguards Explained

ByPrivacyiQ 25 July 202524 July 2025

UK GDPR Article 22 restricts automated decisions — but there are exceptions. Learn when you can use automation lawfully and what safeguards you must have in place. Article 22 of the UK GDPR generally prohibits companies from making decisions based solely on automated processing that have a significant or legal effect on individuals. However, there…

Data Subject Rights | Right to Object

1 of 5: Understanding the Right to Object Under UK GDPR (Article 21)

ByPrivacyiQ 17 July 202517 July 2025

The UK GDPR grants individuals the right to object to certain types of data processing. Learn what Article 21 means for your company and how to stay compliant. Companies today rely on data to drive decision-making, marketing, and operational efficiency. But under the UK General Data Protection Regulation (UK GDPR), individuals have the right to…

Children | Data Subject Rights

Children’s Data Rights Under the UK GDPR

ByPrivacyiQ 4 July 20252 July 2025

Children have enhanced data protection rights under UK GDPR. Learn how companies working with under-18s should comply. The UK GDPR gives special protection to children’s personal data. If your company provides services to or collects data from individuals under 18, specific rules apply. Key principles include: These rights tie into the right to be informed,…

Data Subject Rights

5 of 5: Article 23 — Restrictions on Data Subject Rights and What They Mean for Your Business

ByPrivacyiQ 26 July 202524 July 2025

Article 23 of the UK GDPR allows certain restrictions on data subject rights — but only in defined cases. Learn when this applies and how your company must respond. Most GDPR rights — including the right to access, object, and erase — are strong and enforceable. However, Article 23 of the UK GDPR gives the…

Data Subject Rights | Right to Data Portability

The Right to Data Portability: A Growing Challenge for Companies

ByPrivacyiQ 1 July 202527 June 2025

Article 20 of the UK GDPR gives individuals the right to receive and reuse their data. Learn how companies should prepare. Article 20 of the UK GDPR allows individuals to receive a copy of their personal data in a structured, commonly used, machine-readable format. This typically applies when: Examples include payroll records, client CRM exports,…

Data Subject Rights | Subject Access Request (DSAR)

Responding to Data Subject Requests: Timelines and Exceptions

ByPrivacyiQ 7 July 20256 July 2025

Companies must respond to GDPR rights requests within strict timeframes. Here’s what counts as a valid request — and when deadlines can be extended. The default timeline to respond to data subject rights requests (access, erasure, objection, etc.) is one calendar month. You may extend this by two months if the request is: But —…

💡 Tip:

Similar Posts