Data-subject rights
When a Company Can Lawfully Refuse Your Data Request
Not every "no" is a breach of your rights. A calm look at the limited, lawful grounds an organisation can rely on under the UK GDPR to refuse or limit a data request — and how to tell a legitimate refusal from one you can challenge.
In short
Under the UK GDPR, a company can lawfully refuse or limit your data request in a few defined situations: when it cannot verify your identity, when a request is manifestly unfounded or excessive, or when a specific exemption applies — such as protecting another person's personal data. It must still explain its reasons and tell you about your right to complain.
Your rights are strong, but not unlimited
The UK GDPR gives you genuine, enforceable rights over your own personal data — the right of access, erasure, rectification, and others. The starting point is that an organisation should honour a valid request. But the law also recognises a small set of situations where it can lawfully say no, or provide less than you asked for. Knowing these grounds helps you read a refusal calmly and judge whether it is legitimate.
The important thing is that these are exceptions, not loopholes. An organisation cannot refuse simply because a request is inconvenient, because it would rather not look, or because it dislikes the reason you are asking. When it does rely on a ground to refuse or limit your request, it generally has to tell you which one, explain why, and remind you that you can complain to the regulator.
This is general information, not legal advice. The exact grounds and how they apply depend on the specific right you are exercising and the facts of your situation.
The main lawful grounds for refusing or limiting a request
Most lawful refusals fall into a few recognisable categories. The first is identity: before releasing your personal data, an organisation is entitled — and often expected — to make sure you are who you say you are. If it has reasonable doubts and you do not provide the confirmation it reasonably asks for, it can decline to act until you do. That is a pause for your protection, not a final refusal.
The second is where a request is "manifestly unfounded or excessive". This is a high bar. It might apply where someone clearly has no real intention of exercising the right and is using it to harass an organisation, or where requests are repetitive in a way that goes well beyond a genuine need. Even then, the organisation can choose to charge a reasonable fee or refuse — it must not treat the label as an easy way out, and it carries the burden of showing why it applies.
The third is exemptions. The law lists specific circumstances where some information can be withheld — for example, where releasing it would reveal another person's personal data, or where disclosure would prejudice things like the prevention of crime or legal professional privilege. These tend to be narrow and applied to the relevant parts of a response, not used to refuse the whole request outright.
- Identity not verified — the organisation can pause until you confirm who you are.
- Manifestly unfounded or excessive — a high bar the organisation must justify.
- A specific exemption applies — often to part of the data, such as information revealing someone else.
- Repeated, overlapping requests — a reasonable fee or refusal may be allowed in narrow cases.
Telling a lawful refusal from one you can challenge
A legitimate refusal usually looks like an explanation. The organisation tells you the specific ground it is relying on, applies it to the right parts of your request rather than the whole thing by default, and points you toward your right to complain. A blanket "we don't have to give you that" with no reasoning is a signal that something may be off.
It also helps to remember what a refusal is not. An organisation cannot lawfully refuse just because responding takes effort, because the data is held by a third-party processor it uses, or because it has its own commercial preference to keep things quiet. If a stated reason does not match one of the recognised grounds, that is exactly the kind of response you can question — first with a short follow-up, and then, if you remain unsatisfied, with the data-protection regulator.
In the UK that regulator is the Information Commissioner's Office (ICO), at ico.org.uk. Complaining is free and you can do it yourself. Seeing your own footprint clearly first — what is out there and who holds it — makes it easier to frame a precise request and to recognise when a refusal is reasonable and when it is not. OSINTA helps you understand and route your own requests; it never contacts anyone for you or promises an outcome.
This is general information, not legal advice. For guidance on your own circumstances, consider speaking with a qualified professional or your supervisory authority, the Information Commissioner's Office (ICO).
- A lawful refusal names a specific ground and explains it.
- Effort, third-party processors, or commercial preference are not lawful grounds.
- You can follow up, then complain to the ICO at ico.org.uk if you remain unsatisfied.
Frequently asked questions
Can a company refuse my data request just because it is a lot of work?
No. Effort or inconvenience on its own is not a lawful ground to refuse under the UK GDPR. An organisation can only refuse or limit a request on defined grounds — such as an unverified identity, a manifestly unfounded or excessive request, or a specific exemption — and it should explain which one applies.
What does "manifestly unfounded or excessive" actually mean?
It is a high bar, not a catch-all. It can apply where there is clearly no genuine intention to exercise the right — for example requests used mainly to harass — or where requests are excessively repetitive. The organisation must be able to justify the label, and it can choose a reasonable fee instead of refusing.
Can a company withhold only part of my data?
Yes. Exemptions are often applied to specific parts of a response rather than the whole request. A common example is information that would reveal another person's personal data. The organisation should still provide the rest and explain what it has held back and why.
What can I do if I think a refusal was not lawful?
Start with a short, dated written follow-up asking the organisation to explain its grounds. If you remain unsatisfied, you can complain to the data-protection regulator — in the UK, the Information Commissioner's Office at ico.org.uk. Complaining is free and you can do it yourself.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
See your footprint, then ask with confidence
OSINTA helps you see what's public about you and frame and route your own data request — you decide every step. It does not contact anyone for you or promise an outcome.