June 7, 2026
european-court-of-justice-redefines-excessive-data-subject-access-requests-and-addresses-potential-abuse-of-gdpr-rights

The European Court of Justice (ECJ) has issued a landmark ruling clarifying the parameters of "excessive" requests under the General Data Protection Regulation (GDPR), providing employers and data controllers with a potential shield against the tactical misuse of data access rights. In response to a series of questions referred by the German Amtsgericht (District Court) of Arnsberg, the ECJ ruled that even a first-time Data Subject Access Request (DSAR) may be classified as "excessive" under Article 12(5) of the GDPR. This determination applies when a data controller can demonstrate that, despite the request meeting formal requirements, it was made with the intent to fraudulently or wrongfully obtain advantages beyond the scope of EU data protection law.

This ruling marks a significant departure from the prevailing assumption that a "first" request for data access is almost always beyond reproach. By interpreting the term "excessive" through the lens of "everyday language," the ECJ has reinforced the principle that EU legislation cannot be weaponized to facilitate transactions carried out for the purpose of abuse of rights. However, the court balanced this by setting a high evidentiary bar, ensuring that the fundamental right of access remains robust for legitimate data subjects.

The Legal Context: Article 15 and the Article 12(5) Exemption

Under Article 15 of the GDPR, individuals have a broad right to obtain confirmation from a data controller as to whether their personal data is being processed and, if so, to access that data. This right is intended to allow individuals to verify the lawfulness of processing and to facilitate other rights, such as rectification or erasure. Historically, many legal experts and Data Protection Authorities (DPAs) have argued that the motive behind a DSAR is irrelevant; if the data exists, the subject has a right to see it.

However, Article 12(5) of the GDPR provides a narrow exception: where requests from a data subject are "manifestly unfounded or excessive, in particular because of their repetitive character," the controller may either charge a reasonable fee or refuse to act on the request. Until now, the "repetitive character" was the most commonly cited justification for a refusal. The ECJ’s recent guidance expands the "excessive" definition to include the intent and circumstances of even an initial request.

Case Background: The Newsletter Dispute in Arnsberg

The case that triggered this clarification involved a dispute between an individual and a German optician. The data subject had subscribed to the optician’s digital newsletter by entering personal details into a registration form and consenting to data processing. Only thirteen days after subscribing, the individual submitted a comprehensive DSAR.

When the optician refused to comply, citing the suspicious nature of the request, the data subject not only maintained the demand for access but also added a claim for financial compensation. Investigations into the matter revealed a pattern of behavior: the data subject had allegedly utilized the same modus operandi with various other data controllers. The apparent goal was not to monitor the lawfulness of data processing, but rather to provoke a technical non-compliance that could lead to a settlement or statutory damages.

The German court sought guidance on whether such a "first" request could be deemed excessive and what criteria should be used to identify an "abuse of rights" in the context of the GDPR.

The ECJ’s Criteria for Identifying Abusive Practices

The ECJ emphasized that the application of the "excessive" label must remain exceptional. To prove that a practice is abusive and thus falls under the Article 12(5) exemption, the court established a two-pronged test requiring both objective and subjective elements:

1. The Objective Element

The controller must demonstrate that, despite formal observance of the conditions laid down by EU rules, the objective of those rules has not been achieved. In the context of a DSAR, the objective is to enable the subject to verify the accuracy and lawfulness of data processing. If the circumstances suggest the request has no relation to these goals, the objective element of abuse may be met.

2. The Subjective Element

The controller must show an intention to obtain an advantage from the EU rules by artificially creating the conditions required for obtaining that advantage. This involves proving that the data subject’s conduct was specifically designed to trigger a legal or financial benefit unrelated to data privacy.

To assist national courts in this assessment, the ECJ highlighted several critical factors to consider:

ECJ ruling on data subject access requests: Some welcome relief for European employers, or not quite yet? (Part I)
  • Voluntary Provision of Data: Whether the subject provided the data without being legally or contractually obliged to do so.
  • The Aim of Providing Data: The original purpose for which the data was shared (e.g., subscribing to a newsletter versus an employment contract).
  • The Temporal Element: The time elapsed between the provision of data and the request for access (e.g., the 13-day gap in the Arnsberg case).
  • Conduct of the Subject: Whether the subject immediately demanded compensation or engaged in a pattern of similar requests across different industries.

Chronology of the Rise of Tactical DSARs

The ECJ ruling arrives at a time when "tactical DSARs" have become a standard tool in civil and employment litigation across Europe.

  • 2018: The GDPR comes into force, introducing the right of access without a fee.
  • 2019-2020: Legal practitioners begin advising clients to use DSARs as a "pre-litigation discovery" tool to bypass more restrictive civil procedure rules.
  • 2021-2022: A surge in "GDPR trolling" is observed, where individuals or automated services file mass requests to identify minor procedural errors for the purpose of claiming damages under Article 82.
  • 2023: National courts in Germany and the Netherlands begin referring cases to the ECJ to clarify whether "motive" should be a factor in granting access.
  • 2024: The ECJ provides the current ruling, establishing that while motive is generally irrelevant, "abusive intent" is a valid ground for refusal.

Impact on the Employment Sector

The employment context is perhaps the most frequent battleground for DSAR disputes. It has become common practice for employees—particularly those facing dismissal or asserting discrimination—to file a DSAR. These requests often require HR departments to review thousands of emails, internal notes, and chat logs, creating a massive administrative and financial burden.

While the ECJ’s ruling is a victory for the principle of fairness, legal experts warn that it may offer limited relief to employers in standard dismissal cases. The criteria put forward by the ECJ—such as the voluntary provision of data and short timeframes—are rarely present in an employment relationship.

In a workplace, personal data is typically provided out of necessity at the start of a multi-year relationship. When a dismissed employee files a DSAR, they are often seeking evidence for an unfair dismissal claim. While this is technically a "collateral purpose" (not the primary purpose of the GDPR), it is far harder to categorize as "fraudulent" or "wrongful" compared to a newsletter subscriber filing a request after 13 days.

Industry data suggests that the average cost for a medium-sized enterprise to respond to a complex employee DSAR ranges from €5,000 to €15,000 in labor and legal fees. For larger corporations, the costs can escalate into the hundreds of thousands. While the ECJ ruling provides a defense against "professional trolls," employers will still face a "strict evidential threshold" when trying to prove that a former employee’s request is legally abusive rather than just annoying or strategically motivated.

Reactions and Analysis of Implications

Legal analysts suggest that the ruling will lead to more robust gatekeeping by data controllers, but also more litigation regarding what constitutes "abuse."

"The ECJ is finally acknowledging that the right of access is not an absolute weapon for extortion," says one Brussels-based privacy consultant. "However, by emphasizing the ‘exceptional’ nature of this exemption, the court is signaling that controllers should not get comfortable. You cannot simply refuse a DSAR because you suspect the person is planning to sue you."

The ruling is expected to influence how national Data Protection Authorities (DPAs) handle complaints. Previously, many DPAs, such as those in France (CNIL) or the UK (ICO, though under different post-Brexit rules), have been hesitant to support controllers who refuse requests based on motive. This ECJ judgment provides a clear, albeit narrow, framework for DPAs to dismiss complaints from individuals who are clearly acting in bad faith.

Future Outlook: A New Standard for Digital Conduct

As the ECJ judgment is integrated into national case law, the next phase of the debate will likely focus on the "repetitive" versus "excessive" distinction. Businesses are encouraged to document the "conduct of the data subject" meticulously if they intend to rely on Article 12(5). This includes keeping records of all interactions, the timing of requests, and any demands for financial settlements that accompany the DSAR.

The ruling serves as a reminder that while the GDPR is a shield for the privacy of citizens, it was not intended to be a sword for the opportunistic. For the employment law landscape, the focus now shifts to how national courts will interpret the "strict evidential threshold" in the messy, high-stakes environment of workplace disputes.

As European member states digest this ruling, the legal community awaits further clarification on the role of DSARs in jurisdictions where they have become inextricably linked to employment litigation strategy. For now, the ECJ has sent a clear message: the spirit of the law matters just as much as its letter.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

supreme-court-expands-federal-arbitration-act-exemption-to-include-last-mile-delivery-drivers-in-flowers-foods-v-brock

Supreme Court Expands Federal Arbitration Act Exemption to Include Last-Mile Delivery Drivers in Flowers Foods v. Brock

June 6, 2026 0
dc-circ-backs-cftc-denial-of-147m-whistleblower-award

DC Circ. Backs CFTC Denial Of $147M Whistleblower Award

June 6, 2026 0

You may have missed

employee-engagement-hits-decade-low-amidst-digital-distractions-and-shifting-expectations

Employee Engagement Hits Decade Low Amidst Digital Distractions and Shifting Expectations

June 6, 2026 0
the-ai-leadership-edge-navigating-the-future-with-cross-disciplinary-fluency-and-ethical-acumen

The AI Leadership Edge: Navigating the Future with Cross-Disciplinary Fluency and Ethical Acumen

June 6, 2026 0
fairness-in-ai-beyond-accuracy-in-talent-acquisition

Fairness in AI: Beyond Accuracy in Talent Acquisition

June 6, 2026 0
may-2026-bls-jobs-report-reveals-dual-labor-market-upward-revisions-mask-growing-struggles-for-unemployed

May 2026 BLS Jobs Report Reveals Dual Labor Market: Upward Revisions Mask Growing Struggles for Unemployed

June 6, 2026 0
connecticut-enacts-new-tax-credit-to-bolster-small-business-adoption-of-individual-coverage-health-reimbursement-arrangements

Connecticut Enacts New Tax Credit to Bolster Small Business Adoption of Individual Coverage Health Reimbursement Arrangements

June 6, 2026 0
teradata-halts-global-salary-increases-for-2026-to-bolster-aggressive-artificial-intelligence-investment-strategy

Teradata Halts Global Salary Increases for 2026 to Bolster Aggressive Artificial Intelligence Investment Strategy

June 6, 2026 0