*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

‘Nuisance’ Subject Access Requests not supported by High Court


High Court gets tough on ‘nuisance’ Subject Access Requests.

The High Court has dismissed a claim for failing to provide an adequate response to a Subject Access Request (SAR). The court not only decided that the organisation had adequately responded, it also gave some commentary on the court’s discretion to refuse an order, even where it can be demonstrated that an organisation has failed to provide data.

In the court’s view, the SARs issued were numerous and repetitive (which was abusive) and there was a collateral purpose underpinning the requests (namely, to use the documents in separate litigation).

Significantly, the court said that even if the claimant could show there was a failure to provide a proper response to one or more SARs, the court had a discretion as to whether or not to make an order – and that in this case, there were good reasons for refusing to make an order, including:

  • The issue of numerous and repetitive SARs which were abusive.
  • The real purpose of the SARs being to obtain documents rather than personal data.
  • The fact that the data sought would be of no benefit to the claimant.


The court’s comments demonstrate a robust approach to nuisance Subject Access Requests that is not matched by regulatory guidance.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group