June 15, 2026
european-court-of-justice-clarifies-definition-of-excessive-data-subject-access-requests-under-gdpr-and-its-implications-for-employment-law

The European Court of Justice (ECJ) has issued a landmark ruling regarding the interpretation of "excessive" requests under the General Data Protection Regulation (GDPR), providing much-needed clarity for data controllers who face repetitive or abusive Data Subject Access Requests (DSARs). In a decision prompted by questions from the German Amtsgericht of Arnsberg, the ECJ ruled that even a first-time DSAR may be categorized as "excessive" within the meaning of Article 12(5) of the GDPR. This determination applies when a data controller can demonstrate that, despite the request meeting formal requirements, it was made with the intent to fraudulently or wrongfully obtain advantages under EU law. This ruling marks a significant shift in the balance of power between data subjects and controllers, particularly in the context of employment litigation where DSARs are frequently utilized as tactical tools.

The Legal Framework of Article 12(5) GDPR

Under Article 15 of the GDPR, individuals—referred to as data subjects—possess the fundamental right to obtain confirmation from a data controller as to whether their personal data is being processed, and if so, to access that data and receive specific information regarding its use. Traditionally, the burden of proof for denying such a request has rested heavily on the data controller. Article 12(5) of the GDPR provides a narrow exception, stating that where requests from a data subject are "manifestly unfounded or excessive, in particular because of their repetitive character," the controller may either charge a reasonable fee or refuse to act on the request.

Until this recent ECJ intervention, the prevailing interpretation of "excessive" was largely tied to the frequency of requests. Many legal practitioners and national Data Protection Authorities (DPAs) assumed that a first-time request could almost never be deemed excessive. However, the ECJ has now clarified that the term must be interpreted according to its "everyday language," meaning that the intent and circumstances behind a single request can render it excessive, regardless of whether it is a repeat submission.

Chronology and Case Background: The Arnsberg Referral

The case that led to this clarification involved a dispute between an individual and an optician company in Germany. The chronology of the events highlights the potential for the tactical misuse of GDPR rights:

  1. Initial Interaction: The data subject subscribed to a newsletter from an optician by entering personal data into an online registration form and providing consent for data processing.
  2. The Request: Only thirteen days after subscribing, the individual submitted a formal DSAR to the company, seeking full disclosure of all processed data.
  3. The Refusal: The company, suspicious of the rapid turnaround and the nature of the interaction, refused to comply with the request.
  4. Escalation: Rather than clarifying the need for the data, the data subject maintained the request and added a claim for financial compensation for the alleged violation of their privacy rights.
  5. Legal Discovery: During the subsequent legal proceedings in the German courts, evidence emerged that the data subject had employed an identical "modus operandi" with several other data controllers. The individual appeared to be systematically subscribing to services only to immediately file DSARs and seek settlements or compensation for non-compliance.

The German Amtsgericht of Arnsberg, recognizing the potential for abuse, stayed the proceedings and referred questions to the ECJ to determine if a first request could be considered excessive and what criteria should be used to identify such abuse.

Criteria for Determining Abusive Practices

The ECJ’s ruling emphasizes that EU legislation cannot be extended to cover transactions carried out for the purpose of fraudulently or wrongfully obtaining advantages. To establish that a DSAR is an "abusive practice," the court outlined two essential components that must be proven by the data controller:

The Objective Element

The controller must show that, despite formal observance of the conditions laid down by EU rules, the objective of those rules has not been achieved. The primary purpose of Article 15 is to enable individuals to verify the lawfulness of processing and to facilitate the exercise of other rights, such as rectification or erasure. If the request is clearly aimed at a different, unrelated objective—such as generating a basis for a compensation claim through entrapment—the objective element of abuse may be met.

The Subjective Element

The controller must demonstrate the intention of the data subject to obtain an advantage from the EU rules by artificially creating the conditions required for obtaining it. In the Arnsberg case, the short timeframe (13 days) and the history of similar claims against other companies served as strong indicators of this subjective intent.

The Role of Circumstances and Evidential Thresholds

The ECJ was careful to note that reliance on Article 12(5) to deny a first-time request must remain exceptional. To protect the fundamental rights of data subjects, the court established a strict evidential threshold. National courts and data controllers must take into account all specific circumstances, including:

ECJ ruling on data subject access requests: Some welcome relief for European employers, or not quite yet? (Part I)
  • Voluntary Provision of Data: Whether the data subject provided the personal data without being legally or contractually obliged to do so.
  • The Original Aim: The purpose behind providing that data in the first place (e.g., subscribing to a newsletter).
  • Temporal Proximity: The amount of time that elapsed between the provision of the data and the subsequent request for access.
  • Conduct of the Data Subject: The overall behavior of the individual, including whether they have a history of similar "tactical" requests.

Impact on the Employment Law Landscape

The implications of this ruling are particularly profound in the field of employment law. In recent years, a growing trend has emerged where employees—or more commonly, former employees—use DSARs as a form of "pre-litigation discovery." When an employee faces dismissal or wishes to bring a claim for discrimination or unfair treatment, they often file a comprehensive DSAR to force the employer to reveal internal communications, HR notes, and management emails.

The Challenge for Employers

While the ECJ’s ruling provides a theoretical defense against abusive DSARs, the "employment context" presents unique hurdles. Unlike the newsletter subscriber in the German case, an employee has a legitimate, long-term relationship with the data controller. The personal data held by the employer was provided out of necessity for the employment contract, not as part of a voluntary "opt-in" scheme.

Furthermore, demonstrating that an employee’s DSAR is "excessive" remains difficult because the employee can often argue that they need the data to ensure the processing related to their dismissal was lawful. Even if the ultimate goal is to bolster a legal claim, the ECJ has previously suggested that the motive behind a DSAR does not necessarily invalidate the right to access, provided the request isn’t purely abusive.

Identifying Abuse in Labor Disputes

Legal analysts suggest that for an employer to successfully invoke this new ECJ precedent, they would likely need to show a pattern of behavior similar to the "newsletter bot" scenario. For example, if an individual applies for a job they are clearly unqualified for, and then immediately files a DSAR upon rejection to fish for a discrimination claim, the Arnsberg criteria might apply. However, for a long-tenured employee, the threshold for "excessive" will remain significantly higher.

Supporting Data: The Rising Burden of DSARs

The ECJ’s focus on "excessive" requests comes at a time when the administrative burden of GDPR compliance is reaching a boiling point for many organizations. According to data from various national regulators:

  • Volume Increase: The UK Information Commissioner’s Office (ICO) and various EU DPAs have reported a year-on-year increase in complaints related to DSAR non-compliance, often driven by complex requests in the midst of legal disputes.
  • Operational Costs: Industry surveys estimate that the average cost of fulfilling a single complex DSAR can range from €5,000 to €15,000, factoring in legal review, data redaction, and IT resources.
  • Time Consumption: For large corporations, a single "all-encompassing" DSAR from a former executive can involve the review of tens of thousands of emails, taking hundreds of man-hours to process within the mandatory 30-day window.

The ECJ ruling acknowledges these pressures by allowing controllers to push back against requests that are clearly not intended to serve the privacy goals of the GDPR but are instead designed to harass or extract financial settlements.

Official Reactions and Future Outlook

Legal experts and privacy advocates have reacted to the ruling with cautious optimism. While business groups welcome the recognition of "abusive practices," privacy advocates warn that this should not be seen as a "green light" for companies to ignore inconvenient requests.

"The ECJ has reinforced the principle that rights are not absolute," noted one European legal consultant. "However, the ‘strict evidential threshold’ mentioned by the court means that employers should not expect a quick fix. They will still need to document the reasons for a refusal meticulously."

As national Data Protection Authorities begin to integrate this judgment into their guidance, the focus will shift to how "everyday language" is applied in different jurisdictions. The ruling provides a clear signal that the GDPR is a shield for privacy, not a sword for litigation tactics, but the battle over where to draw the line between a "thorough" request and an "excessive" one is far from over.

The next phase of this legal evolution will likely involve national courts testing the "subjective intent" of data subjects in more nuanced scenarios. For now, the ECJ has provided a vital tool for data controllers to defend themselves against the most blatant forms of GDPR exploitation. Organizations are advised to update their DSAR handling policies to include a framework for assessing potential abuse, ensuring they remain compliant while protecting their resources from bad-faith actors.

Tags:

Related News

supreme-court-dismisses-labcorp-case-leaving-questions-over-uninjured-class-members-unresolved

Supreme Court Dismisses Labcorp Case Leaving Questions Over Uninjured Class Members Unresolved

June 15, 2026 0
academics-ask-2nd-circ-to-revive-publisher-conspiracy-suit

Academics Ask 2nd Circ. To Revive Publisher Conspiracy Suit

June 15, 2026 0

You may have missed

beyond-the-launch-strategies-for-sustaining-learning-momentum-and-driving-long-term-business-performance-through-role-based-training-initiatives

Beyond the Launch Strategies for Sustaining Learning Momentum and Driving Long-Term Business Performance through Role-Based Training Initiatives

June 15, 2026 0
supreme-court-dismisses-labcorp-case-leaving-questions-over-uninjured-class-members-unresolved

Supreme Court Dismisses Labcorp Case Leaving Questions Over Uninjured Class Members Unresolved

June 15, 2026 0
why-traditional-training-fails-to-solve-the-manufacturing-discipline-problem-and-the-rising-shift-toward-habit-based-operational-excellence

Why Traditional Training Fails to Solve the Manufacturing Discipline Problem and the Rising Shift Toward Habit-Based Operational Excellence

June 15, 2026 0
academics-ask-2nd-circ-to-revive-publisher-conspiracy-suit

Academics Ask 2nd Circ. To Revive Publisher Conspiracy Suit

June 15, 2026 0
iowa-launches-workforce-pell-grant-applications-pioneering-federal-aid-for-short-term-career-training

Iowa Launches Workforce Pell Grant Applications, Pioneering Federal Aid for Short-Term Career Training

June 15, 2026 0
fiskers-bankruptcy-a-stark-lesson-in-organizational-agility-for-the-ai-era

Fisker’s Bankruptcy: A Stark Lesson in Organizational Agility for the AI Era

June 15, 2026 0