DSAR Exemptions: What Are They & Why Do They Matter?

Table of Contents

Under the GDPR, all residents of the EU are allowed, within reason, to request access and modification/deletion of their personal data on file at any business that has it.

However, this data protection law does allow for certain DSAR exemptions for businesses that have valid reasons not to perform it.

In this article, we will cover the criteria that a business can use to refuse a DSAR. We will provide the details that would be qualified as acceptable, as well as elaborate on what could happen if a business refuses a DSAR without the proper evidence to prove its reasoning.

Let’s dive in.

Key Takeaways

The GDPR does allow a business to make exemptions toward DSAR requests if it can be proven that the processing request is used for unfounded or malicious intent purposes.

A business must carefully analyze and make the right judgment for either allowing or refusing to do a DSAR. Understanding and knowing what can and cannot be expected is crucial for the business’s success.

Refusing to do a DSAR that is not justified for exemption can lead to lawsuits and fines that can be disruptive to the business.

DSAR Explained

DSAR Explained.jpg

DSAR Explained.jpg

A Data Subject Access Request (DSAR) is a right under the GDPR that allows all EU residents to request access to their personal data on file at any business that has processed their data.

Article 1 of the GDPR states that the purpose of this law is to allow the freedom of movement of personal data. Under this right, citizens of Europe have the right to have more control over their data.

Data subjects can make requests to ensure that their data is handled reasonably by businesses and that they are respecting one’s data privacy. The data subject also has the right to modify, transfer or delete any data under Articles 17 and 19 of the GDPR.

In most cases, a business has to comply with a subject’s access request. Valid reasons, such as disclosure of what data is being collected and how it is being used, must be explained.

You must also respond if the data subject wants to know what data is on file and must respect the decision of modification or deletion if the subject wishes to do so. The GDPR data protection regulation states that all businesses must lawfully address concerns that a data subject has regarding their data protection.

A business must comply with the data subjects’ right to their personal information. They must also respond to the DSAR within a reasonable timeframe. Typically, a business is given 30 days, but it can be extended depending on the scope of the request.

What Are DSAR Exemptions?

A DSAR exemption is an exception for when a business does not have to comply with the DSAR for reasons that the business found were excessive, unfounded, or contained malicious intent to the request.

The GDPR does allow businesses to deny offering DSAR under certain conditions that pertain to unfoundedness, excessive nature, or malicious intent under Article 21.

If a business decides to refuse DSAR, they must notify the reason why to the data subject and also provide evidence for their reasoning.

A business should carefully observe the language that the data subject uses to help identify the intent of the DSAR. If the business decides to reject the DSAR, it must have ample evidence to back up its reasoning for doing so.

List of DSAR Exemptions

List of DSAR Exemptions.png

List of DSAR Exemptions.png

Under the GDPR, a business has the right to object to the DSAR request if it falls under certain criteria. Below are specific examples that a data controller can use if they can prove any of the following:

Unfounded, Excessive, or Malicious

Excessive requests, such as demanding an abundance of physical copies of data, can be strenuous on a business’s internal resources, which is why it can be used as an exemption. If a data subject can prove that there is a valid reason for an excessive request, then the data controller has to comply.

An unfounded request can be determined if the subject’s request is used not to exercise their freedom of privacy but instead for their own benefit. A request for DSAR for marketing or commercial purposes, for example, is considered unfounded.

Malicious intent can be defined as if the DSAR is only intended to cause harm to a business or others. Making unreasonable demands to be disruptive to the business’s resources counts as a malicious act. Below are cases that are considered to be malicious intent.

Serious Harm to Data Subject

If a data controller believes that performing a DSAR could lead to harm to the subject, then the controller can deny the approval of performing the DSAR.

Sensitive information, such as medical records that contain medical conditions.), should be handled very carefully, and it should be considered if this data could cause serious harm.

It should be closely examined for what they intend to do with the information, and you must ensure that no serious harm will come to them if this information is released. It is important to reiterate to them how they should handle their personal data responsibly.

Safeguards Other’s Individual Data

If the requested personal data includes information about other individuals without their specific consent, a DSAR request can be rejected. The data controller (business) should safeguard the privacy rights of all involved and cannot share or disclose another individual’s data without their consent.

A business DSAR management should follow strict procedures when safeguarding other’s data because if it doesn’t properly safeguard the data, it could lead to a data breach.

Protect the Rights of Others

The data controller must determine if the DSAR is not being used to harm others. Anything that can be taken to be used for malicious purposes should not comply with the data subject’s request.

Businesses can refuse a DSAR if it infringes the rights and freedoms of others. For example, if a person is trying to collect data on someone else, then it can be refused to protect data from a third party without consent as an excuse, according to Article 15.

A data controller must be able to verify the identity of the data subject in order to prevent it from falling into the wrong hands of someone else. Effective compliance training can help the data controllers better identify when the DSAR is infringing on another’s rights.

Crime Prevention

If a data subject makes a DSAR while being investigated by law officials, then it could be refused due to reasons pertaining to public interest.

An exemption could be justified if the request could be used as a tool or to cause obstruction of the law. A quest to delete certain transactions or documentation of dialogue could be a red flag that they may be trying to hide ample evidence against them.

Article 10 states that while under criminal investigation, the data controller must abide by the law officials first before the approval of a processing request.

Trade Secrets

A request for personal data that leaks any kind of trade secret, strategy, or intellectual property can be challenged as malicious in nature.

Creating a balance that grants access to personal data and pectin of business assets must be established through a corporate compliance plan in order to set certain standards.

Can You Refuse a DSAR?

Yes, a business can refuse to do DSAR if the processing request is deemed either unfounded, excessive, or malicious or unlawful in nature.

An unfounded reason can be challenged if the DSAR is for a reason that does intend to exercise their freedom but their personal interest. It could be to get back at unless that they formally worked at by asking an unreasonable request and withdrawing from it.

Excessive exemption can be defined by repetitive requests that have no justification as to why. If a person keeps making a DSAR request one after another, it could be deemed excessive.

Malicious and unlawful intent can be defined by the nature in which it can be used to harm others. As mentioned, using it to cover a crime scene is malicious, along with requesting trade secrets, requesting other people’s data without consent, or if it could cause serious harm. Abusing DSAR requests to hurt a business also counts as an exemption.

All of the above does require proof and ample evidence by the data controller in order to justify the exemption of the DSAR processing.

Do You Have to Do a DSAR if it Contains Data About Another Person?

Following a DSAR request from a data subject that wants information on another person is a complex issue. It can be done, but it must follow the strict guidelines mandated by the GDPR in order to do so.

The data subject must be able to prove that they have received explicit consent from the person of the data they are accessing. The controller would also have to verify the consent by contacting the data subject to ensure it’s safe to do so.

Legal basis must be considered. Authorizing third-party access can result in major penalties if it leads to any harmful intent of the data subject. Ensuring that your data controller is up-to-date with current data protection laws is essential to make sure that they follow all the guidelines necessary.

Consequences of Not Responding to a DSAR While Not Exempt

Consequences of Not Responding to a DSAR While Not Exempt.jpg

Consequences of Not Responding to a DSAR While Not Exempt.jpg

Refusing to do DSAR without a solid reason can really bring major fines and penalties to the business. It can also lead to major disruptions that could ultimately lead to a business being shut down.

GDPR fines could reach up to €20 million or 4% of the company’s total global annual turnover of the preceding financial year, whichever is higher. This could be paired with a public reprimand that would damage the business’s reputation.

The data subject would have the legal right to press charges against the business for failure to deliver the DSAR as well.

Not only could a lawsuit result in major fines and legal fees, but it could tarnish the reputation of the business. Most consumers will want to avoid a business that is being accused of malpractice intent.

Lawsuits also lead to investigations, which could impact how the business operates by diverting resources to address the issue. Lawsuits also take time and can be drawn out, meaning it could take months or even years before it can resume back to normal functionality.


A business should approach all DSARs on a case-by-case basis. Some DSARs are not straightforward and require thorough analysis and effective judgments of the situation. Making the wrong decisions can be financially devastating to a business.

Thankfully, the superheroes at Captain Compliance are experts who are versatile in topics such as DSARs and other data protection law-related topics. Our experts can help your business be prepared and ready to handle any DSAR request that goes your way.

If you are a business that is concerned with the strict guidelines of the GDPR, then consider outsourcing your compliance services to us here at Captain Compliance. Get in touch with an expert today and learn how your company can become compliant!


Can exempting a DSAR be expensive?

Taking the time to find reasons for exempting a DSAR can be time-consuming, depending on the complexity of the issue. A DSAR that involves dealing with a data subject that wants access to another person’s data can take time to investigate the legality of the request.

Explore DSAR software options to help automate the princess in our detailed article.

Can a business refuse to do a DSAR under the CCPA?

Yes, the California Consumer Protection Act (CCPA) allows businesses to refuse a data subject access request under certain conditions similar to the GDPR. A business under the CCPA can refuse if it deems the data access request is excessive, unfounded, or malicious in nature.

Need more info? Learn more about CCPA in our detailed article.

What happens if a data subject lies about their intent with the DSAR?

If a data subject lies about their intent with the DSAR, it can potentially create legal and ethical complications. The company has an obligation to verify the identity of this person before releasing any information. If there is suspicion or proof that a requester might use personal data for unlawful purposes (fraudulent activities, harm, etc), then denying access may be within rights.

Learn more about data risk assessments here in our article covering the topic.

Can a business refuse to do DSAR if it involves leaking trade secrets?

Yes, a business can refuse a data success request if it involves disclosing any trade secrets or intellectual properties that the business has. However, the business will still need to provide justification as to why they refuse to do the DSAR.

Learn more about corporate governance and how it gives your business protection rights in our detailed article.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo with a compliance SuperHero or get started today.