Data controllers may refuse to respond to requests that are manifestly unfounded or excessive, in particular because of their repetitive character, under Part 3 of the Data Protection Act 2018 (DPA 2018). Alternatively, they may be able to charge a reasonable fee for dealing with such a request, taking into account the administrative costs of providing the information.  

The DPA 2018 confers a range of rights on individuals, including among others access to their personal data, rectification of their data and restriction of processing in certain circumstances. However, data controllers are legally entitled to refuse certain requests from individuals, if they demonstrate that the requests are manifestly unfounded or excessive. 

The Information Commissioner’s Office (ICO) has issued guidance for determining when a request may be manifestly unfounded or excessive. It recommends that data controllers consider each request on a case-by-case basis, rather than enforcing a blanket policy. The individual must be informed of the reasons why the request has not been complied with, in addition to their right to make a complaint to the ICO.

To read the ICO’s official guidance, click here