You don’t always have to say yes
The GDPR gives data subjects strong rights, but those rights are not absolute. There are situations where you may decline a request. However, it is important that you do so correctly: with a valid reason, within the deadline, and with proper communication.
Grounds for refusal
1. Manifestly unfounded request
A request that is clearly not submitted to exercise privacy rights, but to hinder you. This is a high threshold. You must be able to demonstrate that the request serves no reasonable purpose.
In practice, this rarely occurs. Be cautious with this ground - supervisory authorities do not accept it readily.
2. Excessive request
If the same person repeatedly makes the same request in a short period without relevant changes. For an excessive request, you have two options:
- Charge a reasonable fee for the administrative costs
- Refuse the request
3. Legal retention obligation
For deletion requests: if you are legally required to retain the data (fiscal retention obligation, employment law deadlines), you may not delete. This is not a refusal in the sense of “I don’t want to”, but “I cannot without breaking the law”.
4. Rights of third parties
For access requests: if providing data would harm the rights and freedoms of other persons. Think of files containing data about multiple people. You may redact the data of third parties.
5. Legal claims
If you need the data for the establishment, exercise, or substantiation of a legal claim. As long as a legal dispute is ongoing, you may retain relevant data.
6. Identity not verified
If you cannot verify the requester’s identity, you may refuse the request until the identity is confirmed. Ask for additional information and pause the deadline until you receive it.
How to refuse correctly
Always respond
Even when refusing, you must respond within one month. Not responding is not a refusal - it is a violation.
Substantiate your decision
Explain on which ground you refuse. “We see no reason to comply with your request” is insufficient. Name the specific exception that applies.
Inform about rights
State in your response that the data subject:
- May file a complaint with the supervisory authority (include the name and contact details)
- May appeal to the courts
Document
Save your assessment: which request, which ground for refusal, what considerations you made. This is your file if the supervisory authority asks questions.
An example
A former customer asks you to delete all their data. You check your systems and find:
- Invoices with their name and address (fiscal retention obligation: 7 years)
- CRM notes and communication history (no retention obligation)
- An outstanding invoice (needed for legal claim)
Your response: “We have deleted your CRM notes and communication history. We retain your invoicing data for [X] more years based on our fiscal retention obligation. We retain data related to the outstanding invoice until the claim is settled.”
That is a correct, transparent, and well-substantiated response.
Template: Deletion Refusal
A professional response that substantiates the refusal with the specific legal ground, and informs the data subject of their right to complain.
View the template arrow_forwardThe burden of proof is on you
This is important: if a data subject files a complaint with the supervisory authority, you must demonstrate that your refusal was justified. The data subject does not need to prove that their request was justified. So always ensure you have proper documentation.
GDPRWise helps you register, assess, and correctly respond to requests, including templates for access, deletion, and refusal.