Subject Access Requests 4 min read
Applying exemptions and refusing a data subject request
Not every data subject request must be fulfilled in full. UK GDPR and the Data Protection Act 2018 Schedule 2 provide specific exemptions. You must apply them carefully and document your reasoning.
How to record an exemption in Folelse
- 1 Open the DSR record.
- 2 Scroll to the Exemptions section.
- 3 Select the exemption applied from the dropdown.
- 4 Enter a brief explanation of why the exemption applies in the notes field.
- 5 Attach any supporting evidence (e.g. legal advice, clinical harm assessment).
- 6 Update the status to "Responded — Exemption Applied".
Common Schedule 2 exemptions
- Crime and taxation — data processed to prevent or detect crime, or assess or collect tax.
- Legal proceedings — data subject to legal professional privilege.
- Management information — data about planned organisational changes (limited, temporary exemption).
- Regulatory activity — data held for regulatory or supervisory purposes.
- Journalism, research, and archives — where disclosure would prejudice these activities.
- Social work — data held by local authorities or social care providers where disclosure would harm the subject or a third party.
- Health and social care — data held by a health professional where disclosure would cause serious harm.
⚠
When applying an exemption, you must still acknowledge receipt of the request and tell the individual you are applying an exemption (unless doing so would prejudice the exemption itself, e.g. in a crime prevention context). Always seek legal advice if uncertain.
Need more help with this?
Contact support