Can A Company Refuse A Subject Access Request Under UK GDPR?

If you run a small business, a subject access request (SAR) can feel like it lands out of nowhere.

One day you’re managing customers, staff, suppliers and cashflow - the next, someone asks for “all personal data you hold about me”, and suddenly you’re wondering whether you can say no.

So, can a company refuse a subject access request in the UK?

Sometimes, yes - but only on specific legal grounds, and you still need to handle the request carefully. If you refuse without a valid reason (or you refuse in the wrong way), you can create unnecessary regulatory risk, complaints to the ICO, and avoidable disputes.

Below, we’ll break down when you can refuse a SAR (or limit it), what “refusing a subject access request under GDPR” actually means in practice, and how to respond in a way that protects your business.

What Is A Subject Access Request (SAR) And Why Does It Matter For Small Businesses?

A subject access request is a request made by an individual (the “data subject”) to access the personal data your business holds about them.

This right comes from the UK GDPR (as supplemented by the Data Protection Act 2018). In simple terms, the law says that people are generally entitled to know:

• whether you’re processing their personal data;
• what personal data you hold;
• why you’re using it and who you share it with;
• where it came from;
• how long you’ll keep it; and
• their other rights (like asking you to correct or delete data, in some cases).

For small businesses, SARs often come up in a few common contexts:

• Employment situations (eg a current or former employee raising concerns or preparing for a dispute).
• Customer complaints (eg a customer wants to see call logs, emails, notes, CCTV references).
• Service disputes (eg a client is challenging what was agreed and wants “everything” you hold).

Even if you have a simple setup - a small team, a basic CRM, a shared inbox - you’re still processing personal data. That’s why it’s worth having your compliance foundations sorted early, including documents like a Privacy Policy and internal procedures for handling data requests.

If you want a deeper overview of what counts as a SAR in the workplace context, it can also help to read subject access requests from an employer perspective.

Can A Company Refuse A Subject Access Request Under GDPR In The UK?

Yes - a company can refuse a subject access request, but only if there’s a lawful basis to do so.

In practice, “refusing” can mean a few different things:

• Refusing to act on the request at all (rare, and must be justified).
• Asking for clarification before you search, where the request is very broad and you reasonably need more information.
• Withholding parts of the information because an exemption applies (very common).
• Providing information but removing/redacting third-party data or confidential material.
• Charging a reasonable fee (only in narrow circumstances) rather than providing it for free.

So, when people search “can a company refuse a subject access request”, what they usually mean is: “Do I have to hand over everything they’re asking for?”

The answer is usually: you must respond, but you don’t necessarily have to provide everything in the way they demanded it - and you can refuse to comply with a SAR (or part of it) if a specific GDPR rule or legal exemption applies.

The key is being able to explain and document your reasoning. If the ICO ever reviews your response, you want to show you followed a fair process and applied the law properly.

When Can You Refuse A SAR? The Main Grounds Businesses Rely On

There isn’t a general “get out of jail free card” for SARs. However, UK GDPR and the Data Protection Act 2018 recognise that there are scenarios where a business shouldn’t have to comply fully (or at all).

Here are the most common grounds small businesses use when refusing a subject access request under GDPR, or narrowing what they provide.

1) The Request Is “Manifestly Unfounded”

A request may be manifestly unfounded where it’s clearly made with no real purpose connected to data protection rights - for example, where the person is using the SAR purely to harass your team, or they’re making allegations with no basis and the request is obviously abusive.

This is a high threshold. It’s not enough that the request is annoying, inconvenient, or comes from someone in a dispute with you.

If you rely on this ground, you should be prepared to justify it with evidence (eg repeated abusive communications, admissions of intent, clear pattern of harassment).

2) The Request Is “Manifestly Excessive”

A SAR may be manifestly excessive where it’s clearly disproportionate in scope, effort, or burden compared to the purpose of the request.

Common examples include:

• repeat SARs in a short timeframe where you’ve already provided the data;
• a request that demands extremely wide searches across systems without any meaningful focus; or
• requests that ask for vast amounts of duplicated material (eg “every single email I was ever CC’d into, including duplicates, across five years”).

Importantly, “excessive” doesn’t mean “time-consuming”. If you hold a lot of personal data, you may still need to do the work. The question is whether the request is disproportionate, considering factors like:

• the nature of the relationship (employee/customer/supplier);
• the amount of data you hold;
• the context and purpose; and
• whether there are less intrusive ways to meet the request (eg narrowing by timeframe or category).

If the request is excessive, you may be able to:

• refuse to act on it, or
• charge a reasonable fee to cover administrative costs, or
• ask the requester to narrow the scope (often the most practical approach).

3) You Need To Verify Identity

You don’t have to comply with a SAR until you’re satisfied you’re dealing with the right person.

This is especially important if you hold sensitive data (eg HR records, medical info, disciplinary records, copies of ID, bank details).

What you can do:

• ask for reasonable proof of identity;
• if you reasonably need more information to confirm identity, you can wait to provide the response until you receive it (and the response deadline generally runs from when you have what you reasonably need).

Be careful not to “over-ask”. The identity checks should be proportionate to the risk. If you already have an established secure login or you’ve been corresponding via a verified email address, a lighter-touch check may be appropriate.

Many businesses find it helpful to have a standard Access Request Form to keep this process consistent and well-documented.

4) Legal Exemptions Apply (So You Can Withhold Certain Information)

Often, the correct approach isn’t refusing the SAR entirely - it’s responding, but withholding certain information because an exemption applies.

Examples that commonly matter for businesses include:

• Third-party data: you may need to redact personal data about other individuals (eg other employees, other customers) unless you can disclose lawfully.
• Legal privilege: communications protected by legal professional privilege (eg solicitor advice) are commonly exempt.
• Management forecasting/planning: in limited circumstances, information may be withheld where disclosure would be likely to prejudice genuine management planning or forecasting.
• Negotiations: in limited circumstances, you may be able to withhold information where disclosure would be likely to prejudice negotiations with the requester.
• Confidential references: references given by your business can be exempt; references you receive may also be restricted depending on the situation.

The real-world issue is that SAR responses often contain material that mixes the requester’s personal data with business-sensitive information or other people’s data. The law doesn’t require you to compromise others’ privacy or hand over legally privileged advice.

If you’re unsure what can be withheld, this guide on what you can withhold is a useful starting point.

What You Must Do If You Refuse (Or Partially Refuse) A Subject Access Request

If you decide to refuse a SAR (or refuse part of it), you still need to handle the process correctly. The risk for businesses is not only what you decide, but how you communicate it and document it.

1) Respond Within The Time Limit (Or Properly Extend It)

In most cases, you must respond to a SAR within one month.

You can extend by up to two further months if the request is complex or you’ve received multiple requests from the individual - but you should tell them within the first month and explain why you’re extending.

If you miss the deadline, you increase the chance of an ICO complaint - even if your underlying reason for withholding data is legitimate.

For timing details and practical deadline management, see SAR response timescales.

2) Give Clear Reasons (In Plain English)

When refusing, your response should explain:

• that you’re refusing to act on the request (or part of it);
• the reason (eg manifestly excessive, manifestly unfounded, or an exemption);
• what you can provide (if you’re partially complying); and
• their right to complain to the ICO and seek a remedy through the courts.

Even though this is a legal process, don’t bury the message in jargon. A clear explanation reduces escalation, because many SARs are made by people who simply want clarity about what’s on file.

3) Consider A “Narrowing” Step Before You Refuse

Before you jump to a refusal, it’s often safer (and commercially smarter) to ask the requester to narrow the scope.

For example, you might ask:

• what timeframe they’re interested in (eg last 6 months vs last 6 years);
• what categories of data matter (eg HR notes, emails, call recordings, CCTV);
• what email addresses, phone numbers, or customer IDs you should search.

This approach can save you hours of manual searching and reduces the chance that you accidentally disclose third-party data.

It also looks reasonable if your response is ever reviewed - you tried to comply, but you needed clarity.

4) Keep An Audit Trail

If the SAR is linked to a dispute (which is common), treat your SAR process like a compliance project. Keep a simple internal record of:

• the date received and who received it;
• identity checks performed;
• systems searched and keywords used;
• what was disclosed and what was withheld (and why);
• when you responded and how you delivered the response.

This is particularly important where you decide the request is “manifestly excessive” or “manifestly unfounded”. If challenged, you’ll want evidence that your decision was reasonable.

A Practical Step-By-Step Process For Handling SARs In Your Business

Small businesses usually don’t need a large compliance department to handle SARs well. You just need a repeatable process that your team can follow without panic.

Step 1: Centralise Intake (So SARs Don’t Get Missed)

Make sure your team knows how to spot a SAR. The person doesn’t need to use the words “subject access request” or “GDPR”.

If someone asks for “all the information you have on me”, treat it as a SAR and route it to a responsible person (often the business owner, operations lead, or HR manager).

Step 2: Verify Identity And Clarify The Scope

Confirm identity where needed and ask sensible narrowing questions early. This protects you from data leaks and reduces workload.

Step 3: Search, Collect, And Review

Your searches may include:

• email inboxes and archives;
• CRM entries and support tickets;
• HR files (including performance notes);
• shared drives and document management tools;
• chat tools used for work;
• CCTV logs (if relevant);
• phone systems and call recordings (if you record calls).

As you go, keep an eye out for data that needs redaction (third-party data) and material that may be exempt (legal advice, privileged communications).

Step 4: Prepare Your Response Pack

Usually, your response includes:

• a cover letter/email explaining what you’re providing and why;
• the personal data itself (often as PDFs or exports);
• notes on redactions or withheld categories (where relevant);
• the extra information required under UK GDPR (purposes, recipients, retention, rights).

Step 5: Deliver It Securely

Send personal data securely (eg encrypted files, password-protected links, secure portals). Avoid sending sensitive personal data in plain attachments without protection.

This is also where having internal rules around systems and data handling really helps - for example, an Acceptable Use Policy can reduce the chance that personal data is scattered across unmanaged devices and accounts, making SAR searches harder and riskier.

Step 6: Decide If You’re Refusing Anything (And Document Why)

If you’re withholding or refusing anything, document your reasoning clearly. If you’re on the fence, it’s usually worth getting legal advice before you respond - especially where employment disputes or threatened claims are involved.

Key Takeaways

• In the UK, a company can refuse a subject access request sometimes - but only on specific legal grounds (eg manifestly unfounded, manifestly excessive, or where exemptions apply).
• In many cases, the best approach isn’t a full refusal - it’s partial compliance, with lawful redactions and withheld categories (eg third-party data or legally privileged advice).
• You can (and should) verify identity before disclosing personal data, especially where the information is sensitive.
• Don’t ignore deadlines: SARs usually require a response within one month, with limited ability to extend in complex cases.
• If you refuse (or partially refuse), give clear reasons, explain the requester’s rights, and keep a strong audit trail of your decision-making.
• Putting simple systems and policies in place early makes SARs far less stressful and helps protect your business from accidental disclosure or non-compliance.

If you’d like help handling a SAR, putting a process in place, or working out whether you can lawfully refuse part (or all) of a request, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.