Back to Blog
LegalTech & IA

When a SAR Turns Sour: Handling Hostile or Disproportionate Data Subject Access Requests Under GDPR

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
July 4, 2026
10 min read
When a SAR Turns Sour: Handling Hostile or Disproportionate Data Subject Access Requests Under GDPR

You've Got Mail – and It's Not a Love Letter

Imagine this: you're a DPO, sipping your morning coffee, when an email lands in your inbox. It's a Subject Access Request (SAR) – but not the polite kind. The requester demands every single piece of data you hold, including internal Slack messages, CCTV footage from three years ago, and a list of every time their name was mentioned in a meeting. Your first instinct might be to panic. But GDPR gives you tools to handle exactly this situation.

Under Article 12(5) of the GDPR, you can refuse to act on a request that is 'manifestly unfounded or excessive.' The key is knowing how to prove that – and doing it without sounding like you're hiding something.

What Makes a SAR 'Hostile' or 'Disproportionate'?

A hostile SAR isn't just annoying; it's one that aims to disrupt your business or harass your staff. Think of it as the legal equivalent of someone asking you to recite the entire dictionary – technically possible, but utterly unreasonable. Disproportionate requests, on the other hand, are those that would require a massive effort to fulfill, like searching through thousands of emails for a single mention of a name.

GDPR doesn't define these terms precisely, but guidance from the ICO and EDPB suggests that you consider the context: Is the requester a former employee with a grudge? Are they asking for the same data repeatedly? Do they have a legitimate purpose, or are they just fishing?

Your Step-by-Step Playbook for Pushback

First, don't ignore the request. That's a violation in itself. Instead, respond promptly (within one month) and explain why you believe the request is unfounded or excessive. Be specific: 'We consider this request excessive because it would require manually reviewing 10,000 emails, and you have already received a comprehensive response to a similar request last month.'

Second, offer a compromise. You can charge a 'reasonable fee' for administrative costs (Article 12(5)) or extend the deadline if the request is complex. But be transparent about the calculation – no one likes hidden fees.

Third, if the requester persists, you have the right to refuse outright. But document everything: your reasoning, the evidence of excessiveness, and any correspondence. If the case goes to the supervisory authority, you'll need to show you acted in good faith.

Yes, but only if the request is manifestly unfounded or excessive. You must inform the requester of your reasons and your right to refuse, and you can charge a fee for administrative costs. Always document your decision to avoid penalties.

Real-World Analogies: The 'All-You-Can-Eat Buffet' Problem

Think of a SAR like an all-you-can-eat buffet. A normal request is like taking a plate and choosing a few items. A hostile SAR is like someone bringing a truck and trying to load the entire restaurant, including the kitchen sink. GDPR says you can say, 'Sorry, that's not reasonable – but here's a reasonable portion.'

Or, as one DPO put it: 'Handling a SAR is like being a librarian. If someone asks for every book ever written, you can point them to the catalog. But if they demand you personally read each book aloud, you can politely decline.'

Practical Tips for Your Response

  • Be polite but firm. Start with 'Thank you for your request' – even if you're gritting your teeth.
  • Use templates. Have a pre-approved response for excessive requests that includes your legal basis for refusal.
  • Leverage technology. Use data mapping tools to quickly assess the scope of a request.
  • Know when to escalate. If the requester is a known litigant, involve your legal team early.

What If You Get It Wrong?

Refusing a SAR incorrectly can land you with a fine up to €20 million or 4% of annual turnover. That's why it's crucial to have a clear policy and to seek legal advice for borderline cases. The GDPR text itself is your best friend – read Article 12 and 15 carefully.

Remember, the goal isn't to avoid compliance; it's to balance the data subject's rights with your operational reality. A well-handled refusal can actually build trust – it shows you take privacy seriously, not that you're hiding something.

FAQ

What is a manifestly unfounded SAR?

A manifestly unfounded SAR is one that has no clear legal basis or is intended to harass the controller. For example, a requester who has already received the same information and is asking again without any change in circumstances.

Can I charge a fee for a SAR?

Yes, but only if the request is manifestly unfounded or excessive, particularly if it is repetitive. The fee must be 'reasonable' and based on administrative costs. You must inform the requester of the fee before processing.

How long do I have to respond to a SAR?

You must respond without undue delay and at the latest within one month of receiving the request. This can be extended by two months for complex or multiple requests, but you must inform the requester within the first month.

📋 Hostile SAR Response Checklist

  • Assess if request is manifestly unfounded or excessive
  • Document reasons for refusal or fee
  • Respond within one month (or extend with notice)
  • Offer a compromise or partial response
  • Charge reasonable fee only if justified
  • Keep records of all correspondence
  • Seek legal advice for borderline cases

✅ Check off each step as you complete it.

NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.