Skip to content
DSARTracker
← Back to Guides

Can You Charge for a Subject Access Request? UK Rules Explained

Published 24 March 2026 · Last reviewed 15 March 2026

The short answer: you almost certainly cannot charge. Under UK GDPR Article 12(5), responding to a subject access request must be free of charge. The old £10 SAR fee (from the Data Protection Act 1998) was abolished when UK GDPR took effect in May 2018.

There are two narrow exceptions — but the threshold is high, and most employer SARs will not qualify.

This guide covers SAR charging rules for UK employers under UK GDPR, as amended by the Data (Use and Access) Act 2025. It is not legal advice.

The default rule: free

Every SAR response must be provided free of charge. This applies regardless of:

  • How much data is involved (even if it takes days to collate)
  • How many systems you need to search
  • How much it costs your organisation in staff time
  • Whether the request comes during a tribunal dispute

Cost and inconvenience are not grounds for charging. The ICO is clear on this: the administrative burden of complying with a SAR is a normal cost of holding personal data.

Exception 1: vexatious or excessive requests

UK GDPR Article 12(5) allows you to charge a "reasonable fee" if a request is manifestly unfounded or manifestly excessive. The Data (Use and Access) Act 2025 updates this threshold to "vexatious or excessive" and provides clearer examples of what qualifies.

What counts as vexatious or excessive:

  • Requests intended to cause distress or disruption rather than genuinely exercise data rights
  • Requests that are not made in good faith (e.g., an ex-employee filing weekly SARs purely to burden the HR team)
  • Requests that are an abuse of process
  • Repetitive requests for the same data where nothing has changed

What does NOT count:

  • A large request covering years of data — size alone is not excessive
  • A request during tribunal proceedings — the requester's motivation does not make it vexatious if they are genuinely exercising their data rights
  • A request that is inconvenient or expensive to fulfil — cost to you is not a ground for charging
  • A first request from someone, regardless of timing or context

The burden of proof is on you. If you charge a fee and the requester complains to the ICO, you must demonstrate that the request was genuinely vexatious or excessive. "It was a lot of work" will not satisfy the ICO.

If you charge: The fee must be "reasonable" and reflect your actual administrative costs (staff time, materials, postage). You cannot set a flat fee or charge for profit. You must notify the requester of the fee before proceeding, and you cannot begin the work until payment is received.

Exception 2: additional copies

UK GDPR Article 15(3) allows a reasonable fee for further copies of data you have already provided. This applies when someone asks for the same data again — not when they make a new request covering a different time period or additional data categories.

Example: You responded to a SAR in January covering all HR data from 2024. In February, the same person asks for the same 2024 HR data again. You can charge a reasonable fee for the second copy. But if they ask for 2025 HR data — that is a new request, not a further copy.

How to calculate a reasonable fee

If one of the exceptions applies, the fee must be based on your actual administrative costs:

  • Staff time: Hours spent searching, compiling, and redacting, at the relevant salary rate
  • Materials: Printing, storage media, postage
  • Delivery: Tracked postage or secure electronic delivery

You cannot charge for: the time spent deciding whether to apply exemptions (that is your legal obligation), legal advice costs, management oversight, or any element of profit.

Practical reality: Most SMEs handling 1-5 SARs per year will never be in a position to charge. The exceptions are designed for extreme cases — persistent vexatious requesters or identical repeat requests — not for routine SARs that happen to be expensive to fulfil.

What the DUAA 2025 changes

The Data (Use and Access) Act 2025 makes two changes relevant to SAR charging:

  1. Updated threshold language: "Manifestly unfounded or manifestly excessive" becomes "vexatious or excessive" — with statutory examples of what these terms mean. This does not lower the bar for charging. The ICO's interpretation remains that most requests are legitimate.

  2. Stop-the-clock mechanism (section 76): While not directly about fees, the stop-the-clock provision gives employers breathing room that previously might have tempted them to charge as a delaying tactic. If you need identity verification or clarification, the clock pauses — reducing the pressure to refuse or charge. See Subject Access Request Time Limit UK for the full deadline rules.

What to do instead of charging

If a SAR feels overwhelming, there are legitimate steps that do not involve charging:

  • Request clarification. Under the DUAA 2025, if the request is too broad ("send me everything"), you can ask the requester to narrow the scope. The clock pauses until they respond.
  • Use the two-month extension. If the request is genuinely complex (multiple systems, extensive redaction), notify the requester within the first month and extend by two months.
  • Track deadlines properly. Use the SAR deadline calculator to manage your timeline — missed deadlines are a bigger risk than the cost of responding.
  • Use templates. The SAR response letter generator creates acknowledgement, extension, and response letters — reducing the time and cost of responding. See Free Subject Access Request Templates for UK Employers for a guide to each template type.

For the complete SAR response process, see How to Respond to a Subject Access Request from an Employee.

Frequently asked questions

Can an employer charge £10 for a SAR? No. The £10 fee was abolished in May 2018 when UK GDPR replaced the Data Protection Act 1998. SARs are now free unless one of the two narrow exceptions applies.

Can I charge if the SAR involves thousands of documents? No. Volume alone does not meet the threshold for "vexatious or excessive." If the request is genuinely complex, use the two-month extension instead.

What if the requester asks for the same data twice? You can charge a reasonable fee for further copies of data already provided. But a request covering a new time period or different data categories is a new request, not a further copy.

Can I refuse instead of charging? Yes. Under Article 12(5), if a request is vexatious or excessive, you can either charge a reasonable fee OR refuse to act. Either way, you must explain your reasoning and inform the requester of their right to complain to the ICO — within the one-month deadline.

Sources

Handle your next SAR step by step

dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.

No spam. Unsubscribe any time. Privacy policy

Related guides

Subject Access Request Policy Template: How to Create Your Internal SAR Process

How to create an internal SAR policy for UK employers — who handles requests, response steps, escalation rules, and a practical template to adapt.

Subject Access Request Response Letter: How to Write It Step by Step

How to write a SAR response letter step by step — what to include, how to structure it, and sample formats for straightforward and complex employer responses.

What Is a DSAR? A Plain-English Guide for UK Employers

What a DSAR means for UK employers — how to recognise one, what you must do in the first 24 hours, and the practical steps to respond without missing the deadline.