Effort and costs of compliance with the GDPR are generally not criteria that play a role in the decisions of the controller. However, under a couple of provisions the controller may take effort and costs into account:
Art. 12 V a: Where requests from a data subject are manifestly unfounded or excessive the controller may charge a reasonable fee taking into account the administrative costs. [see also Art. 15 III 2 GDPR]
Art. 14 V b: “Pararaphs 1 to 4 [information obligation] shall not apply where and insofar as the provision of such information […] would involve a disproportionate effort […].” [see also Rec. 62]
Art. 17 II: “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of […] the cost of implementation, shall take reasonable steps […].
Art. 19 (1): “The controller shall communicate any rectification or erasure of personal data or restriction of processing […] to each recipient to whom the personal data have been disclosed, unless this […] involves disproportionate effort.”
Art. 25 I: “Taking into account […] the cost of implementation […] the controller shall […] implement appropriate technical and organisational measures […].”
Art. 32 I: “Taking into account […] the costs of implementation […] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […].” [see Rec. 83 (2)]
Art. 34 III c: “The communication to the data subject referred to in paragraph 1 shall not be required if it would involve disproportionate effort.”
Rec. 26 (4): On the question of whether a person is identifiable “the costs of and the amount of time required for identification” are taken into account as objective factors.
Rec. 84 (3): “Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.” [see also Rec. 94 (1)]
On the restriction of data subjects' rights in case of disproportionate effort, see Tile DSR.08.
In German national law, effort and implementation costs may be taken into account in accordance with §§ 22 II 2, 27 II, 28 II, 34 I/IV, 35 I 1/II 2 Bundesdatenschutzgesetz (i.e. Federal Data Protection Act).