FAQEU GDPR

EU GDPR DSAR Exceptions

Controllers should treat refusal as exceptional: first check identity, scope, timing, duplicate requests, and third-party rights before limiting access.

Grounded in GDPR Articles 12, 15, and 23 plus EDPB right-of-access guidance on narrow interpretation, partial redaction, extensions, and evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
5

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

EU GDPR DSAR exceptions are narrow. A controller normally has to facilitate access, answer without undue delay and within one month, and may extend, charge, or refuse only where the GDPR conditions and supporting facts are documented.

Search this module

Find a question or answer quickly

5 of 5 questions
Question 1

When can a controller extend a DSAR response?

Article 12(3) requires the controller to provide information on action taken without undue delay and in any event within one month of receiving the request. The controller may extend that period by two further months only where necessary, taking into account the complexity and number of requests.

The extension is not automatic. The controller must tell the data subject within one month of receipt that it is extending the response period and must give the reasons for the delay.

  • Record the date the request was received and the first one-month response deadline.
  • Identify the concrete complexity or request volume that makes the extension necessary.
  • Send the extension notice within the first month, with reasons for the delay.
  • Do not extend merely because a processor or internal team is slow to retrieve information.
Citations
Question 2

When can a controller ask for identity information?

A controller may request additional information only where it has reasonable doubts about the identity of the person making the request. The additional information must be necessary to confirm identity, not a routine barrier to exercising rights.

If the controller cannot identify the data subject in Article 11 circumstances, Article 12 says the controller does not have to act unless the data subject provides additional information enabling identification. The identity check should be proportionate to the data and risk involved.

  • Do not demand extra identity documents for every DSAR by default.
  • Record the reasonable doubt that triggered the identity check.
  • Ask only for information necessary to confirm the requester's identity or authority.
  • For third-party or proxy requests, verify authority before disclosing personal data.
Citations
Regulation (EU) 2016/679 (GDPR)

Article 12(2) and 12(6) cover facilitation of rights, inability to identify the data subject, and additional identity information where reasonable doubts exist.

Question 3

When can a controller charge a fee or refuse a DSAR?

Article 12(5) starts from a free-of-charge rule. A controller may charge a reasonable fee or refuse to act only where the request is manifestly unfounded or excessive, in particular because of its repetitive character. The controller bears the burden of demonstrating that condition.

EDPB guidance says these concepts must be interpreted narrowly and assessed case by case. Lack of reasons, inconvenience, large internal effort, or the possibility that the requester may use the data in a dispute does not by itself make the request excessive.

  • Test whether Article 15 is clearly not met before calling a request manifestly unfounded.
  • For repetitive requests, compare the interval, data-change frequency, data sensitivity, processing purpose, and overlap with prior requests.
  • Consider whether combining overlapping requests or charging administrative costs is more appropriate than refusal.
  • If refusing, tell the data subject the reasons, complaint right, and judicial remedy route no later than one month after receipt.
Citations
Question 4

Can access be narrowed to protect other people's rights?

Article 15(4) says the right to obtain a copy must not adversely affect the rights and freedoms of others. That is not a general permission to reject the whole DSAR. The controller should assess the concrete conflict and provide access in an adjusted form where reconciliation is possible.

Typical handling is to leave out or render illegible the parts that would adversely affect others, while still providing the data subject's accessible personal data and Article 15 information where the GDPR allows it.

  • Identify the specific rights or freedoms of others that would be affected.
  • Assess the likelihood and severity of the adverse effect.
  • Use redaction, extraction, or partial disclosure where those measures solve the conflict.
  • Document why any withheld part could not be disclosed without adversely affecting others.
Citations
Regulation (EU) 2016/679 (GDPR)

Article 15(3) requires a copy of personal data undergoing processing, and Article 15(4) limits copies where rights and freedoms of others would be adversely affected.

Question 5

What evidence should a DSAR exceptions record keep?

The record should show that the controller started from the right of access and applied only the grounded limit needed for the specific request. It should be usable by privacy, legal, support, and product teams without adding unsupported national derogations or authority-specific procedures.

Where a controller relies on Union or Member State restrictions under Article 23, keep the legal basis and conditions separate from the GDPR-level Article 12 and 15 analysis. The grounding here supports only the GDPR framework and EDPB caution, not a country-by-country derogation list.

  • Request receipt date, channel, requester, authority or proxy check, and identity-check rationale.
  • Data stores searched and whether the request covered all or only part of the data subject's personal data.
  • Any extension notice, its date, and the concrete complexity or volume reasons.
  • Any Article 12(5) fee or refusal decision, with facts proving manifestly unfounded or excessive character.
  • Any Article 15(4) redactions, the affected third-party rights, and why partial disclosure was sufficient or not.
  • If a legal restriction is invoked, the Union or Member State provision, conditions checked, and when the restriction should be lifted.
Citations
Regulation (EU) 2016/679 (GDPR)

Articles 12, 15, and 23 provide the GDPR-level rules for DSAR modalities, copies, refusal, fees, identity checks, and legal restrictions.

Recommended next step

Use this FAQ to check refusal, fee, extension, and redaction decisions

Sorena can help privacy, legal, support, and product teams turn each DSAR exception into a cited response record with deadlines, notices, evidence, and reviewer sign-off.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about DSAR refusal, extensions, identity checks, fees, and access limits using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your DSAR exception workflow, evidence fields, and escalation triggers with Sorena.

Explore next step
Primary sources

References and citations

EDPB Guidelines 01/2022 on data subject rights - Right of access
edpb.europa.eu
Referenced sections
  • EDPB access-right guidance recommends case-by-case documentation for manifestly unfounded or excessive access requests and cautions controllers to check Article 23 restriction conditions carefully.
"considered on a case by case basis"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Articles 12, 15, and 23 provide the GDPR-level rules for DSAR modalities, copies, refusal, fees, identity checks, and legal restrictions.
"The controller shall bear the burden"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.