June 7, 2026
european-court-of-justice-clarifies-threshold-for-excessive-data-subject-access-requests-in-landmark-ruling

The European Court of Justice (ECJ) has issued a pivotal judgment defining the boundaries of "excessive" Data Subject Access Requests (DSARs) under the General Data Protection Regulation (GDPR), providing a new legal framework for data controllers to challenge potentially abusive requests. In response to a series of questions referred by the German Amtsgericht of Arnsberg, the ECJ ruled that even a first-time request for data access may be regarded as "excessive" within the meaning of Article 12(5) of the GDPR. This determination can be made when a data controller demonstrates that, despite the request meeting formal requirements, it was submitted with the intent to fraudulently or wrongfully obtain advantages beyond the scope of EU data protection law.

The ruling marks a significant shift in the interpretation of Article 12(5), which allows controllers to charge a reasonable fee or refuse to act on requests that are "manifestly unfounded or excessive." Historically, data protection authorities and courts have been hesitant to label a first request as excessive, usually reserving that designation for repetitive or harassing communications. However, the ECJ has now clarified that the term "excessive" must be interpreted according to its "everyday language" meaning, suggesting that the nature and intent of a request can outweigh its frequency.

The Legal Framework of Article 12(5) GDPR

Under the GDPR, Article 15 grants individuals the right to obtain confirmation from a data controller as to whether their personal data is being processed and, if so, access to that data. This right is fundamental to the European privacy regime, intended to allow individuals to verify the lawfulness of processing and seek rectification or erasure if necessary.

However, Article 12(5) provides a necessary safeguard for businesses and organizations. It states that where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a fee or refuse to act. Until this recent ECJ ruling, the "repetitive character" clause was often treated as the primary—if not only—metric for excessiveness. The new ruling expands this, emphasizing that the application of EU legislation cannot be extended to cover transactions carried out for the purpose of obtaining advantages provided for by EU law in a fraudulent or wrongful manner.

Chronology of the Dispute: The Newsletter Case

The case that led to this clarification originated in Germany and involved a dispute between an individual and an optician. The timeline of the events provides a clear example of what the court considers potentially abusive behavior:

  1. Initial Engagement: The data subject subscribed to a newsletter from a local optician. To do so, they entered their personal data into a registration form on the company’s website and provided explicit consent for the processing of that data for marketing purposes.
  2. The Immediate Request: Only thirteen days after providing their data voluntarily, the individual submitted a formal DSAR under Article 15 of the GDPR, demanding full access to all processed information.
  3. The Refusal: The optician, viewing the request as suspicious given the timeline and the voluntary nature of the data submission, refused to comply.
  4. Escalation and Compensation Claim: Upon the refusal, the data subject did not merely reiterate the request for data but added a claim for financial compensation, citing the company’s failure to comply with the GDPR request as a source of distress or legal harm.
  5. Legal Proceedings: The matter was brought before the Amtsgericht of Arnsberg. Evidence surfaced during the proceedings suggesting that the data subject had employed the same "modus operandi" with various other data controllers, effectively using the GDPR as a tool to provoke non-compliance and subsequent settlement demands.
  6. The Referral: Recognizing the complexity of defining "excessive" in this context, the German court stayed the proceedings and referred the matter to the ECJ for a preliminary ruling on the interpretation of Article 12(5).

Defining the Criteria for Abusive Practice

The ECJ’s ruling establishes a two-pronged test for determining whether a practice is abusive and, therefore, whether a DSAR can be deemed excessive. According to the court, proof of an abusive practice requires the satisfaction of both an objective and a subjective element.

The objective element consists of a combination of objective circumstances in which, despite formal observance of the conditions laid down by EU rules, the purpose of those rules has not been achieved. In the context of a DSAR, the purpose is to allow a person to check the accuracy of their data and the legality of its use. If the circumstances suggest the individual has no actual interest in these privacy goals, the objective element may be met.

The subjective element involves the intention to obtain an advantage from EU rules by creating artificially the conditions required for obtaining it. In the German case, the act of signing up for a newsletter specifically to trigger a DSAR and a subsequent compensation claim was viewed as an artificial creation of legal standing.

The ECJ emphasized that national courts must take into account "all the circumstances of the case" when making this assessment. Key factors include:

  • Whether the data subject provided the personal data voluntarily and without obligation.
  • The specific aim behind providing that data in the first place.
  • The time elapsed between the provision of data and the request for access (e.g., the 13-day window in the newsletter case).
  • The overall conduct of the data subject, including whether they have a history of similar "trap" requests.

Impact on the Employment Sector

While the newsletter case involved a consumer-facing scenario, the ruling has profound implications for employment law. In recent years, DSARs have become a standard "pre-litigation" tactic for employees involved in disputes. When an employee is dismissed or faces disciplinary action, they often file a DSAR to force the employer to disclose internal emails, meeting notes, and performance reviews.

Legal experts note that DSARs in the employment context are frequently used as "fishing expeditions" to gather evidence for claims of unfair dismissal or discrimination. They are also used as a leverage tool; because responding to a comprehensive DSAR can cost a company thousands of euros in legal fees and administrative hours, employees may use the request to pressure the employer into a higher severance settlement.

ECJ ruling on data subject access requests: Some welcome relief for European employers, or not quite yet? (Part I)

The ECJ’s ruling offers a glimmer of hope for employers, but the court also urged caution. The judgment notes that reliance on Article 12(5) must remain "exceptional" and subject to a "strict evidential threshold."

In an employment context, demonstrating abuse is significantly harder than in the newsletter case. An employee has a legitimate, long-term relationship with the controller (the employer), and the data was not provided "voluntarily" in the same sense as a newsletter signup—it was provided as a condition of employment. Furthermore, because an employee has a legitimate interest in knowing how their performance was assessed, it is difficult for an employer to prove that the "subjective element" of abuse is present, even if the timing of the DSAR coincides with a dismissal.

Data and Economic Implications of DSAR Compliance

The burden of DSAR compliance is a growing concern for European enterprises. According to various industry reports, the average cost for a medium-sized organization to process a single complex DSAR can range from €5,000 to €20,000, depending on the volume of data and the need for redaction to protect the privacy of third parties.

For large corporations, the numbers are even more staggering. Some multinational firms report receiving hundreds of DSARs per month. If a significant portion of these are "tactical" or "excessive," the administrative drain is substantial. The ECJ’s recognition that a first request can be excessive acknowledges the reality that the GDPR can be weaponized in ways that do not actually further the cause of data privacy.

Reactions from Legal Experts and Data Authorities

The legal community has greeted the ruling as a "pragmatic" development. Privacy advocates, while generally supportive of broad access rights, have acknowledged that "GDPR trolling"—the practice of using data requests to extract settlements—undermines the integrity of the regulation.

"The ECJ is sending a clear message that the GDPR is a shield for privacy, not a sword for litigation leverage," said one Brussels-based privacy consultant. "By focusing on the ‘everyday language’ of excessiveness, the court is allowing for a common-sense approach to blatant abuses of the system."

However, Data Protection Authorities (DPAs) across EU member states may interpret the "strict evidential threshold" differently. National authorities in jurisdictions like France (CNIL) or the Netherlands (AP) have historically been very protective of the right of access, often ruling that the motive behind a DSAR is irrelevant. The ECJ ruling now requires these authorities to consider the "aim" and "conduct" of the data subject, which may lead to a shift in how DPAs handle complaints against companies that refuse to fulfill suspicious requests.

Future Outlook and Implications for Businesses

The ECJ judgment provides a new defensive avenue for data controllers, but it does not grant a "get out of jail free" card. Organizations looking to deny a DSAR on the grounds of excessiveness must be prepared to document the "abusive practice" with high-quality evidence.

Moving forward, businesses should:

  • Audit DSAR Patterns: Monitor for individuals who submit requests shortly after engaging with the company or those who have a history of immediate litigation following a request.
  • Document the Burden: Keep records of the time and cost associated with fulfilling requests to demonstrate why a specific request might be "excessive" in the context of the data subject’s behavior.
  • Evaluate Context: In employment disputes, consider whether the request is genuinely aimed at data accuracy or if it is being used to bypass discovery rules in civil litigation.

The ruling serves as a reminder that while the GDPR provides robust protections for individuals, those protections are not absolute. They are bound by the general principle of EU law that prohibits the abuse of rights. As national courts begin to apply the ECJ’s criteria, the legal landscape for DSARs will likely see a more nuanced balance between the fundamental right to data access and the need to protect organizations from bad-faith actors.

The next phase of this legal evolution will occur at the national level, as Data Protection Authorities integrate this judgment into their enforcement frameworks. For now, the ECJ has established that the intent of the requester is no longer entirely off-limits when determining the legitimacy of a data access demand.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

supreme-court-expands-federal-arbitration-act-exemption-to-include-last-mile-delivery-drivers-in-flowers-foods-v-brock

Supreme Court Expands Federal Arbitration Act Exemption to Include Last-Mile Delivery Drivers in Flowers Foods v. Brock

June 6, 2026 0
dc-circ-backs-cftc-denial-of-147m-whistleblower-award

DC Circ. Backs CFTC Denial Of $147M Whistleblower Award

June 6, 2026 0

You may have missed

employee-engagement-hits-decade-low-amidst-digital-distractions-and-shifting-expectations

Employee Engagement Hits Decade Low Amidst Digital Distractions and Shifting Expectations

June 6, 2026 0
the-ai-leadership-edge-navigating-the-future-with-cross-disciplinary-fluency-and-ethical-acumen

The AI Leadership Edge: Navigating the Future with Cross-Disciplinary Fluency and Ethical Acumen

June 6, 2026 0
fairness-in-ai-beyond-accuracy-in-talent-acquisition

Fairness in AI: Beyond Accuracy in Talent Acquisition

June 6, 2026 0
may-2026-bls-jobs-report-reveals-dual-labor-market-upward-revisions-mask-growing-struggles-for-unemployed

May 2026 BLS Jobs Report Reveals Dual Labor Market: Upward Revisions Mask Growing Struggles for Unemployed

June 6, 2026 0
connecticut-enacts-new-tax-credit-to-bolster-small-business-adoption-of-individual-coverage-health-reimbursement-arrangements

Connecticut Enacts New Tax Credit to Bolster Small Business Adoption of Individual Coverage Health Reimbursement Arrangements

June 6, 2026 0
teradata-halts-global-salary-increases-for-2026-to-bolster-aggressive-artificial-intelligence-investment-strategy

Teradata Halts Global Salary Increases for 2026 to Bolster Aggressive Artificial Intelligence Investment Strategy

June 6, 2026 0