The right to access personal data is not absolute and there are situations where a controller will not need to comply/fully comply with a Data Subject Access Request (DSAR). These exemptions can be useful, but the most important thing to note when approaching them is to look at each one on a case-by-case basis and not to apply a blanket approach.
Under GDPR a controller is not obliged to respond to a DSAR which is “manifestly unfounded or excessive”.
This may be relevant in situations where, for example, the request is malicious, designed to cause disruption rather than to exercise the right of access or where the individual clearly has no intention of exercising their right, for example where they use the right of access as a bargaining tool to get what they want. If the individual submits multiple overlapping or repeat requests this may indicate the requests are excessive, but if the processing is complex or changes frequently these requests might just reflect that.
You will need to carefully consider the circumstances of the request when considering this exemption. The excessive/unfounded nature of the request must be very clear.
The GDPR also provides that national law can set out situations where a controller is not obliged to comply with the right of access. In English law these are contained in the UK Data Protection Act 2018.
There is a fairly long list of exemptions, however some commonly used examples are:
Legal professional privilege – This exemption covers the seeking and obtaining of legal advice and litigation privilege which relates to correspondence with a legal professional or other third party where litigation is contemplated or in progress. This exemption can cover seeking/obtaining legal advice from in house lawyers although care should be exercised in relation to who the client is in this situation and privilege may not apply to all communications with in-house lawyers if they also get involved in strategic/commercial decision making for the organisation.
Management information – If you have processed personal data for the purposes or business forecasting/planning, this will be exempt from disclosure if the disclosure would prejudice the business activities in question at the time you are applying the exemption. If the plans have been put in to action then disclosure might be unlikely to prejudice the activities.
Negotiations – If you are in negotiations with the data subject, perhaps in relation to a litigious matter, you do not have to disclose personal data which shows your intentions in relation to the negotiations (e.g. a desire to settle quickly to keep any payments within a financial year). This exemption only applies where disclosure would be likely to prejudice the negotiations at that time. Once negotiations are over e.g. once a settlement has been reached in a redundancy – it would be very difficult to apply this exemption.
Confidential references – Personal data contained in confidential references does not have to be disclosed. The exemption applies to both giving and receiving references. To rely on this you need to have clearly informed individuals that references are treated as confidential in the privacy information you provide to them.
You need to ensure that you are clear as to what national laws apply to the DSAR as this will affect what exemptions are available.
As mentioned throughout this series of posts, it is very important to document your decision-making and reasoning in relation to the use of exemptions so that you can justify your position to the regulator or the individual if necessary.
Also, it is important to remember that even if you do not have to disclose some/all of the information requested, you will still need to inform the data subject of your decision. You should be as open as you can with the individual about refusing to provide information, but you do not have to go into detail which would prejudice the exemption you are relying on.
