Are Data Subject Requests Free? Fees and Exceptions

The default: your request is free

The starting point under the UK GDPR (Article 15) is simple: you have the right to ask an organisation for a copy of the personal data it holds about you, and exercising that right is normally free of charge. An organisation cannot ask you to pay just for the privilege of seeing your own information, and it cannot make payment a condition of starting the process. The same free-by-default principle applies to the other main data rights too, such as asking for inaccurate data to be corrected or for data to be erased.

This matters because the right of access is meant to be genuinely usable, not gated behind a cost. You also do not need to use a special form, hire anyone, or explain why you want your data. A plain, dated message identifying yourself and asking for a copy of your personal data is enough to begin, and it should cost you nothing.

Bear in mind that 'free' refers to what the organisation can charge you. Your own time, or any optional help you choose to pay for, is a separate matter — the right itself carries no fee.

• A standard access request is free under the UK GDPR.
• You do not need to give a reason, pay, or use a special form.
• The free-by-default rule also covers correction and erasure requests.

When a reasonable fee can apply

The law allows a narrow set of exceptions. An organisation may charge a 'reasonable fee' based on its administrative costs in a few specific situations. The clearest is where you ask for further copies of the same data you have already received — the organisation can charge for the extra copies, though not for the first response. A reasonable fee can also be considered where a request is what the law calls manifestly unfounded or manifestly excessive, for example clearly repetitive requests sent over and over.

Even then, the fee must be reasonable and cost-based — it is meant to cover genuine administrative effort such as photocopying, postage, or staff time, not to turn a profit or to discourage you from asking. Instead of charging for a manifestly unfounded or excessive request, an organisation may alternatively choose to refuse it, but in either case it should explain its decision and tell you about your right to complain.

These exceptions are deliberately limited. A normal, reasonable, first-time request for your own data does not fall into any of them, so the everyday answer to 'will this cost me?' is no.

• Further copies of data you have already received: a reasonable fee may apply.
• Manifestly unfounded or excessive requests: a fee or a refusal is possible.
• Any fee must be cost-based and proportionate, not a deterrent or a profit.

What to do if you are asked to pay

If an organisation asks you for a fee, it is worth pausing to understand why. Is it treating your request as a further copy of something already supplied, or as repetitive or excessive? It should be able to explain the basis for any charge and how the amount was worked out. If the explanation does not fit your situation — for instance you are making a straightforward first request — you can politely ask it to reconsider and point to your right of access.

Keep a calm, dated record of what you sent and what you were told. If you still believe a fee is being used to block a legitimate request, you have the right to complain to the data-protection regulator. In the UK this is the the Information Commissioner's Office (ICO), the independent authority for data protection, and complaining is free and something you can do yourself.

This is general information, not legal advice. For guidance on your own circumstances, consider speaking with a qualified professional.

• Ask the organisation to explain the basis and amount of any fee.
• Keep dated copies of your request and their response.
• You can complain to the the Information Commissioner's Office (ICO) for free if a fee blocks a fair request.

Frequently asked questions

Related terms

• Data Subject Access Request (DSAR)
• GDPR (General Data Protection Regulation)
• Personal data
• Data protection regulator