AI Summarize

Share

Under privacy laws like the GDPR and CCPA/CPRA, data subjects can submit formal requests to exercise their user rights over their personal information. But these laws also allow businesses to deny those requests under specific, lawful circumstances.

If someone bombards your business with frivolous requests, tries to extort a payout, or asks for data covered by legal privilege, you can (and sometimes must) refuse. But there's a right way to do it. Denying a request without a clear, lawful reason or failing to explain and document your decision can invite legal troubles, among other things.

This article breaks down the lawful grounds for denying a data subject request under major privacy laws. You'll also find response templates and documentation tips to help you handle denials effectively.


Lawful Grounds to Deny Data Subject Requests Under Key Privacy Laws

While privacy laws generally require businesses to honor data subject requests, they also allow you to refuse requests, as long as your refusals are legally justified, clearly communicated, and properly documented.

Let's start with the lawful grounds under major privacy laws today.

Under the GDPR (European Union)

The EU's General Data Protection Regulation (GDPR) gives its data subjects eight rights over their personal data, including the right to access, correct, delete, and restrict the use of their data, to name a few.

While data subjects can exercise any of these rights through formal requests, the right of access (called Data Subject Access Request or DSAR) is the most common.

A data subject can submit requests either in writing or verbally and through various channels, including email, phone call, letter, or even social media.

In cases of electronic data processing, Recital 59 of the GDPR encourages businesses to provide electronic request options (like web forms or email) to simplify submissions. Businesses must also respond to requests within at most one month and give clear reasons for denials.

EUR LEX GDPR Recital 59: electronic requests option

Importantly, the GDPR provides clear grounds for refusing a data subject request (fully or partially), depending on the nature of the request itself or specific exemptions. Article 12(5) of the GDPR makes clear that businesses can either charge a reasonable fee or deny a request if it is "manifestly unfounded" or "manifestly excessive."

EUR LEX GDPR Article 12(5): manifestly unfounded or excessive requests

Note that your business (as the data controller) is responsible for proving that requests are manifestly unfounded or excessive. Let's take a closer look at what these mean under the GDPR.

Manifestly Unfounded Requests

A request can be considered manifestly unfounded when data subjects show no genuine intent to exercise their rights in good faith. The use of "manifestly" sets a high bar, as it requires clear (almost glaring) evidence of bad faith or improper purpose.

According to guidance from the UK Information Commissioner's Office (ICO), manifestly unfounded requests typically cover situations where a request is used to harass or disrupt your business, such as:

  • Explicitly stating an intent to cause disruption
  • Making baseless accusations against employees
  • Targeting a specific employee due to a personal grudge
  • Systematically sending numerous requests as part of a campaign to overwhelm you
  • Offering to withdraw requests in exchange for a benefit or payment from you

Keep in mind that aggressive language alone doesn't necessarily make a request unfounded if the underlying purpose remains legitimate. Remember, the burden of proof rests entirely on the controller or business to justify a denial, and this justification should be fact-specific and documented.

Manifestly Excessive Requests

A request is "manifestly excessive" if it's clearly unreasonable, especially when considering the burden or cost involved for your business compared to the data subject's need for the information.

Unlike unfounded requests, excessive ones may have valid underlying purposes but require disproportionate resources or effort. The UK ICO recommends that you consider the following factors to decide if requests are manifestly excessive:

  • The nature of the requested information
  • The context of the request and your relationship with the data subject
  • Whether refusing the information might cause significant harm to the individual
  • Your available resources
  • If the request largely repeats previous requests within an unreasonable time frame, especially if the data hasn't changed
  • If the request significantly overlaps with other ongoing requests

Notably, a large volume of requested information doesn't automatically make a request excessive. You should first consider whether you can ask the data subject to narrow their request or fulfill the request partially.

The UK ICO also emphasizes that businesses must evaluate each request individually rather than applying blanket policies. Previous manifestly unfounded or excessive requests don't automatically affect future ones from the same individual.

UK ICO guidance on data subject requests

Other General Exemptions For Denying Data Subject Requests

Beyond unfounded and excessive requests, the GDPR contains other exemptions that may let you refuse or limit compliance with specific user rights.

For example, the right to restrict processing in Article 18 applies only in specific situations, such as when data subjects contest the accuracy of their personal data. If a restriction request doesn't fall under any of these conditions, you can legally refuse.

EUR LEX GDPR Article 18: Right to restriction of processing

Other GDPR rights, like access, erasure, and objection, also come with their own exemptions that may let you deny data subject requests.

For instance, you can deny a request for erasure if keeping the data is necessary to comply with a legal obligation or to establish or defend legal claims. Similarly, a request to object to processing can be denied if you show compelling legitimate grounds that override the data subject's interests.

In every case, the burden falls on your business (as the data controller) to assess the request carefully and document why an exemption applies. Blanket refusals or generic policies won't satisfy regulators.

Under the Data Protection Act 2018 (United Kingdom)

The UK's Data Protection Act 2018 (which works alongside the UK GDPR) essentially mirrors the EU GDPR's provisions when it comes to denying data subject requests. That said, there are a few key exemptions worth noting.

Schedule 2-4 of the UK DPA includes several exemptions for granting access to personal data, as well as fulfilling other rights, if doing so would:

  • Prejudice law enforcement, national security, or certain regulatory functions
  • Reveal confidential employment references or exam scripts
  • Breach legal professional privilege

Here's how guidance from the UK ICO explains this:

UK ICO Guidance on data protection exemptions

These exemptions aren't automatic. You must apply them on a case-by-case basis, keep a record of your reasoning as proof of compliance, and make sure the exemption clearly applies to the data and the request in question.

UK ICO Guidance on how exemptions work

Whenever you deny a request under the GDPR or UK DPA, you're required to explain your decision to the data subject, inform them of their right to complain to the applicable data protection authority(like the ICO in the UK or CNIL in France), and remind them they may also seek a judicial remedy.

Note that the Data Use and Access Act 2025 (DUAA) introduced important refinements to how DSAR denials are handled:

  • Stop-the-Clock Provision (Article 12A): Controllers can formally "pause" the one-month DSAR response period when awaiting clarification or identity verification, restarting once the needed information is received.
  • New Statutory Privilege Exemption (Section 45A DPA 2018): Legal professional privilege now has explicit statutory recognition, allowing refusal without disclosing details that would undermine the privilege.

These updates require controllers to document the start and end dates of any pause and to clearly record the legal grounds for invoking privilege.

Under the CCPA and CPRA (California, US)

Like the GDPR, the California Consumer Privacy Act (CCPA), and its amendment, the California Privacy Rights Act (CPRA), give its consumers several rights over their personal information.

They include the right to know, correct, delete, and opt out of the sale or sharing of their data (to name a few). These rights are also subject to limitations, and businesses aren't always required to comply with every request.

Section 1798.145(h)(3) of the CCPA/CPRA allows businesses to either charge a reasonable fee or deny requests that are "manifestly unfounded or excessive," particularly if it's repetitive or harassing in nature. Businesses bear the burden of proving this as well.

CCPA Section 1798.145(h)(3): Denying consumer requests

The interpretation of "manifestly unfounded and excessive" also generally aligns with the GDPR's provisions, focusing on intent and proportionality. You must notify consumers of denials within 45 days, plus an extension of up to 90 days for complex requests.

Beyond the "unfounded or excessive" exemption, the CCPA/CPRA provides several other scenarios where businesses are not required to comply with consumers' requests, especially for deletion, access, and correction rights.

These exemptions are primarily set out in section 1798.105(d) for deletion requests, with similar principles extending to other rights under section 1798.145. In short, businesses can deny requests if the personal information is necessary to:

  • Complete a transaction or fulfill a contract with the consumer
  • Detect or prevent security incidents and fraud
  • Debug and repair system errors
  • Exercise or protect legal rights, including free speech
  • Comply with a legal obligation
  • Retain for internal use aligned with consumer expectations
  • Support public or peer-reviewed research (with consumer consent)
  • Protect trade secrets (for access requests)
  • Preserve legal privileges, like the attorney-client privilege

Additionally, exercising consumer rights generally depends on proper identity verification. If your business cannot reasonably verify the identity of the consumer or their authorized agent, you're not required to honor their requests under most privacy laws, including the CCPA/CPRA.

CCPA Section 1798.140(ak): Definition of verifiable consumer request

As with the GDPR, request denials under the CCPA/CPRA must be explained clearly, and businesses must inform the consumer of any right to appeal. Under the CPRA, businesses must:

  • Acknowledge Receipt: Provide confirmation within 10 business days of receiving the request.
  • Respond Within 45 Calendar Days: This can be extended by an additional 45 days where necessary, with notice to the consumer.
  • Frequency Limits: Fulfillment of certain requests (e.g., access/portability) is required no more than twice in any 12-month period.
  • Verification Standards: Identity verification must be carried out using commercially reasonable methods, with higher verification thresholds for sensitive personal information (e.g., account deletion, Social Security numbers). Failure to verify allows lawful denial.

Documenting each verification step is essential to defend against potential challenges.

Under PIPEDA (Canada)

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) gives individuals the right to access their personal information held by private-sector organizations.

Upon request, businesses must inform the individual of the existence, use, and disclosure of their data and provide access to it. But this right (like under other regimes) is not absolute. Organizations can refuse access requests under specific, limited circumstances. These include cases where disclosing the data would:

  • Be prohibitively expensive to fulfill
  • Reveal proprietary or confidential commercial information
  • Compromise another person's privacy
  • Pose reasonable threats to security
  • Breach legal privilege (such as solicitor-client privilege)

See example below:

PIPEDA Principle 9: Individual Access

These exemptions are tightly scoped, and any justifiable denial must be accompanied by a clear explanation if the individual asks for one.

Under Other Global Frameworks

Several other global data privacy regimes share common themes for lawfully denying data subject requests.

While the specific wording and nuances vary by jurisdiction, you'll often encounter similar lawful grounds for refusal across laws like Australia's Privacy Act of 1988, Singapore's Personal Data Protection Act (PDPA), and others.

Common lawful grounds typically include:

  • Unreasonable Burden or Expense: Requests that would be too costly, time-consuming, or disproportionately burdensome to fulfill.
  • Legal or Regulatory Compliance: Retention or processing of data that is required by other applicable laws (e.g., for tax purposes or anti-money laundering laws).
  • Protection of Third-Party Rights: Disclosure that would involve revealing the personal information of other individuals without their consent or another lawful basis.
  • Legal Professional Privilege: Data that is subject to attorney-client privilege or similar legal privileges.
  • Security Concerns: Disclosure that could compromise the security of systems, data, or lead to fraudulent activity.
  • National Security, Law Enforcement, Public Health, or Safety: Exemptions often apply to data processed for vital public interests, like preventing crime, safeguarding national security, or protecting public health and safety.

For example, here's a comprehensive list of exceptions that lets organizations deny access to personal information under Australia's Privacy Act of 1988:

Australia Privacy Act of 1988: Exception to access

If your organization operates across multiple jurisdictions, it's especially important to consult each privacy law applicable to your data processing activities, as each law will have its precise wording and interpretation of these grounds for denial.

Sample Templates for Legally Denying Data Subject Requests

Your response to a denied data subject request becomes part of the legal record and directly influences whether regulatory authorities view your refusal as justified or arbitrary.

Regulators expect organizations to communicate request denials in plain language, while still meeting the formal expectations of data protection laws. Clarity, consistency, and even tone will all play important roles alongside the legal accuracy of denials.

Across most privacy laws, each denial response should include the following essential elements:

  • A clear statement that the request has been denied (in whole or in part)
  • The legal basis under the relevant law (GDPR, UK DPA, CCPA, etc.)
  • Sufficient justification for the refusal to show reasoned decision-making
  • Details of the individual's right to lodge a complaint with a supervisory authority and/or seek judicial remedy
  • Contact details for further clarification, if applicable

Below are some flexible, jurisdiction-agnostic templates you can adapt for data subject request denials:

Template for Manifestly Unfounded Requests

Subject: Response to Your Data Subject Request

"We have carefully reviewed your request for [access to / deletion of / correction of] personal data dated [date]. After thorough consideration, we are unable to fulfill this request as we consider it manifestly unfounded under [e.g., Article 12(5) of the GDPR / Section 1798.145(a) of the CCPA].

Our assessment indicates that [brief explanation, e.g., this request appears designed to harass our organization rather than exercise legitimate privacy rights].

This is evidenced by your [e.g., explicit statement that you would withdraw this request for financial compensation / systematic submission of identical requests targeting specific employees].

You have the right to lodge a complaint with [relevant supervisory authority] and to seek judicial remedy through [appropriate court system]. If you have any questions about this decision, you can contact us at [designated privacy contact]."

Template for Manifestly Excessive Requests

Subject: Response to Your Data Subject Request

"We have reviewed your request for [specific data/action] dated [date]. While we remain committed to helping exercise your privacy rights, we cannot fulfill this request as we find it to be manifestly excessive under [relevant legal provision].

Our assessment considered [relevant factors such as the disproportionate burden this request would place on our resources / the repetitive nature of this request, given your identical inquiry submitted on [date] without sufficient intervening time].

You may contact [relevant supervisory authority] if you wish to contest this decision, and you also have the right to pursue a judicial remedy where applicable. For further clarification, feel free to reach out to [contact details]."

Template for Statutory Exemptions

Subject: Response to Your Data Subject Request

"We are unable to fulfil your request for [access to / deletion of / correction of certain personal data] as it falls under a lawful exemption in [specific legal provision, such as Article 15(4) GDPR / Schedule 2, Part 4 of the DPA 2018 / section 1798.105(d) of the CCPA].

This exemption applies where [brief explanation, such as disclosure would reveal confidential legal communications protected by privilege].

We are mindful of our duty to be as transparent as possible. However, disclosing further details may prejudice the purpose of the exemption itself.

You retain the right to complain to [relevant supervisory authority] and pursue a judicial remedy through [appropriate court system]. Contact us at [contact information] if you would like to discuss this further."

Template for Partial Compliance

Subject: Response to Your Data Subject Request

"Regarding your request dated [date] for [briefly describe request], we have partially fulfilled your request by providing [briefly describe what has been provided, e.g., marketing preferences and account details].

However, we have withheld certain information because it falls under [specific lawful ground, e.g., an applicable exemption under Article 15(4) of the GDPR / it is manifestly excessive according to section 1798.145(h)(3) of the CCPA].

You may contact [relevant supervisory authority] if you wish to challenge this decision. You also have the right to pursue a judicial remedy where applicable. If you need further clarification, please feel free to reach out to [contact details]."

Documentation and Record-Keeping: Proving Your Compliance

Denying a data subject request is a significant decision, and proving you did so lawfully is just as important as the denial itself. That's where proper documentation comes in.

Why Document Data Subject Request Denials?

Article 5(2) of the GDPR sets out the accountability principle, which states that controllers must be able to demonstrate their compliance with all applicable data protection requirements. This includes data subject request denials.

EUR LEX GDPR Article 5(2): Accountability principle

Many other global privacy laws mirror this provision in some form to uphold transparency and accountability. Simply put, proper documentation helps prove to supervisory authorities (like the ICO, CPPA, etc.) that your business followed due process, applied the law correctly, and acted in good faith.

Good records also provide operational clarity as they support better handling of future data subject requests and reduce the risk of inconsistent decisions.

Documentation Checklist for Data Subject Requests

To maintain audit-ready, legally sound records, keep the following documented for every denied data subject request:

  • Date and time of request receipt.
  • Identity of the data subject, and the verification steps taken.
  • Nature of the request (access, erasure, objection, etc.)
  • Date and time of the denial decision
  • Specific lawful ground(s) relied upon (manifestly unfounded, legal privilege, etc.)
  • Brief specific justification, grounded in factual assessment (e.g., "The request included a demand for monetary compensation in exchange for withdrawal")
  • Records of internal assessments or legal advice, if obtained
  • Copy of the response sent to the data subject
  • Date and method of communication (email, secure portal, etc.)
  • Any follow-up correspondence, complaints, or corrective actions related to the request.

While privacy laws vary, a good practice - mirroring ICO guidance on accountability - is to retain denial-related documentation for at least two years from the date of refusal, or longer if local laws or internal policies require. This retention period supports potential audits, investigations, or legal proceedings.

Maintaining comprehensive records of data subject requests helps ensure transparency, repeatability, and readiness for audits or investigations from supervisory authorities. Without it, you can't prove your compliance, which is as good as violating privacy laws.

Summary

Denying data subject requests typically serves to uphold confidentiality, protect legal privilege, and stop patterns of harassment disguised as privacy activism. That said, denials are legal decisions, and they must be justified and recorded accordingly.

To recap:

  • Every denial must rest on strong, specific lawful grounds
  • Clear, structured, non-confrontational communication is required
  • Proper documentation is your proof of compliance to regulatory authorities

For airtight legal protection, always seek legal counsel. Denials are part of a responsible, rights-respecting data governance strategy. Even when the answer is "no," your process should reflect your commitment to doing things lawfully and in good faith.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy