Subject access request self serve
-
1. What is your question about?
Manifestly unfounded or excessive requests
-
2. What is your question?
What does manifestly unfounded mean?
The following information might help answer your question
A request is manifestly unfounded if the individual has no real intention to exercise their right or the request is malicious in intent.
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:
- explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made. If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.
Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.
Example
An individual makes a subject access request to an online retail company for their personal data. They state that they are making a SAR in accordance with the UK GDPR and that if the company credits the individual’s online account with a specified sum of money, they will withdraw their request. The company is correct to consider the request as manifestly unfounded.