In recent months, I have noticed an increase in fees being charged for the compliance with data subject access requests, by some organisations. The purported fee is named as being to cover the cost of redaction, administration or copying, and is in many cases unlawful.
Data subjects are entitled to a copy of all of their personal data upon their request. Organisations are not entitled to charge a fee for complying with an access request.
In exceptional situations, where the access request is deemed to be ‘manifestly unfounded or excessive’ the organisation may impose a reasonable administrative fee or refuse to comply with the request.
If an organisation decides to deny an access request or to charge a fee, ithe organisation must prove why the access request is manifestly unfounded or excessive. This situation may arise where a data subject makes multiple requests for the same data. It does not arise where the organisation decides the data subject has no need for the data, or where the retrieval of the data is difficult or cumbersome.
A reply to the data subject access request should be given without delay and within a maximum of one month. A time extension of two months may be sought if the request is complex.
By Lisa Quinn O’Flaherty
Solicitor at Fitzsimons Redmond