DSAR Exemptions: When You Can Refuse a Request

Exemptions Exist, but They Are Narrow

Privacy regulations grant individuals a broad right of access to their personal data. That right is not absolute — there are defined circumstances where an organization can refuse a request, withhold specific data, or charge a fee. But these exemptions are far narrower than most businesses assume.

From a governance standpoint, understanding DSAR exemptions is about knowing where the boundaries are, not about finding reasons to avoid responding. Organizations that over-rely on exemptions tend to attract exactly the regulatory attention they were trying to avoid.

The most commonly relevant exemptions include:

• Manifestly unfounded or excessive requests — where the requester has no genuine intention of exercising their access right, or the request is clearly disproportionate. The bar for this is very high.
• Third-party data — you must redact information about other identifiable individuals, but you still provide the requester's own data
• Legal professional privilege — communications with legal counsel for the purpose of legal advice or litigation are protected
• Crime prevention and detection — data can be withheld if disclosure would prejudice an active investigation
• Confidential references — references you provided (not received) may be exempt under UK law
• Negotiations — records of your negotiation intentions can be withheld while negotiations are ongoing

Three rules apply universally: exemptions are applied to specific data, not entire requests; you must still respond even when refusing; and the burden of proving the exemption applies falls on you.

Understand Your Full Obligations

Our DSAR Compliance Guide covers exemptions alongside the complete response process, so you know exactly when you must respond, when you can limit your response, and how to document every decision defensibly.

Download the DSAR Compliance Guide