Under the General Data Protection Regulation (GDPR), there are circumstances where a company may refuse to comply with a subject access request (SAR) from an individual.
However, such refusals must be justified and comply with the provisions outlined in the GDPR. Here are some circumstances under which a company may refuse a GDPR subject access request:
1. **Excessive or Unfounded Requests**: If a request is manifestly excessive, particularly if it is repetitive, the company may refuse to act on the request. Similarly, if a request is unfounded or frivolous, the company may refuse to respond. However, the company must be able to demonstrate the burden associated with handling such requests.
2. **Legal Privilege**: Personal data that is subject to legal privilege, such as confidential communications between a lawyer and their client, may be exempt from disclosure. The company must assess whether the information requested falls under legal privilege and, if so, may refuse to disclose it.
3. **Confidentiality Obligations**: If disclosing the requested personal data would breach confidentiality obligations owed to a third party, such as another individual’s privacy rights, the company may refuse to disclose the information. However, the company should assess whether it can provide redacted or anonymised data instead.
4. **National Security or Public Safety**: In certain circumstances, disclosing personal data may compromise national security or public safety. If the company reasonably believes that disclosing the information could pose a risk to national security or public safety, it may refuse the SAR. However, such refusals must be based on specific legal provisions or legitimate reasons.
5. **Prevention, Detection, or Investigation of Crime**: If disclosing the requested personal data would hinder the prevention, detection, or investigation of criminal activities, the company may refuse the SAR. This includes situations where disclosing the information could jeopardise ongoing investigations or compromise law enforcement efforts.
6. **Protection of Rights and Freedoms of Others**: If disclosing the requested personal data would infringe upon the rights and freedoms of other individuals, the company may refuse the SAR. For example, if disclosing the information would reveal third-party personal data without their consent, the company may refuse to disclose it.
7. **Data Subject is a Minor or Incapacitated**: If the data subject is a minor or legally incapacitated, the company may refuse the SAR if fulfilling it would not be in the best interest of the individual. In such cases, the company should consider whether it is appropriate to disclose the information or whether it would be more suitable to provide access to a legal guardian or representative.
It is essential for companies to carefully assess each SAR on a case-by-case basis and provide clear justifications for any refusals.
Additionally, companies should inform the data subject of their right to lodge a complaint with the relevant data protection authority if they disagree with the refusal.
