What would be deemed a manifestly unfounded or excessive SAR under the GDPR?
Under the GDPR, a SAR must be complied with free of charge except in circumstances where the request is manifestly unfounded or excessive. However, there is minimal guidance in the Data Protection Bill 2017 as to what types of request would be deemed excessive or unfounded. It is likely that repeated requests for the same information or requests that are “fishing expeditions” would fall under this exception. Nevertheless, until the ICO publishes guidance on this, it cannot be said with any certainty what requests would be excessive or unfounded.
If employers refuse to respond to a SAR, reasons for refusal must be given and the individual must be notified of his/her right to complain to the ICO. Employers should respond to the individual without undue delay but, in any event, no later than one month after the request was made.
Given the lack of guidance at present, employers should respond to a SAR unless it would involve retrieving information that causes significant practical or technical difficulty. Further, the ICO Code notes that employers “should be prepared to make extensive efforts to find and retrieve the requested information.”
Continue reading
We help hundreds of people like you understand how the latest changes in employment law impact your business.
Please log in to view the full article.
What you'll get:
- Help understand the ramifications of each important case from NI, GB and Europe
- Ensure your organisation's policies and procedures are fully compliant with NI law
- 24/7 access to all the content in the Legal Island Vault for research case law and HR issues
- Receive free preliminary advice on workplace issues from the employment team
Already a subscriber? Log in now or start a free trial
