In recent months, I have noticed an increase in fees being charged for the compliance with data subject access requests, by some organisations. The purported fee is named as being to cover the cost of redaction, administration or copying, and is in many cases unlawful.

Data subjects are entitled to a copy of all of their personal data upon their request. Organisations are not entitled to charge a fee for complying with an access request.

In exceptional situations, where the access request is deemed to be ‘manifestly unfounded or excessive’ the organisation may impose a reasonable administrative fee or refuse to comply with the request.

If an organisation decides to deny an access request or to charge a fee, ithe organisation must prove why the access request is manifestly unfounded or excessive. This situation may arise where a data subject makes multiple requests for the same data. It does not arise where the organisation decides the data subject has no need for the data, or where the retrieval of the data is difficult or cumbersome.

A reply to the  data subject access request should be given without delay and within a maximum of one month. A time extension of two months may be sought if the request is complex.

This article is for information purposes only, and is not intended to be relied upon as legal advice. Fitzsimons Redmond will be happy to tailor advice to suit the needs of your organisation, and work with you to develop an appropriate privacy policy and procedure to deal with data subject access requests. You can contact us on 01 6763257.

By Lisa Quinn O’Flaherty

Solicitor at Fitzsimons Redmond