It seems some organisations have caught up with the ability to refuse a DSAR because the request is manifestly unfounded or excessive. I am not sure where in the GDPR this was permitted, by which I mean, I don’t think it was. Here are some links.
O’Donahue and Bateman say,
Where it is obvious or clear (“manifestly”) that the individual has no intention to access the information or is malicious in intent, and/or is using the request to harass with no real purposes other than to cause disruption.
- Manifestly unfounded and excessive requests, from the ICO
- The Law, as enacted, we need § 53
- Responding to requests: the ICO considers manifestly unfounded and excessive requests , by O’Donahue & Bateman from Reed Smith
- Information rights and data protection: appeal against the Information Commissioner at gov.uk