The landscape of European employment law is undergoing a significant transformation as Data Subject Access Requests (DSARs), once viewed primarily as a transparency mechanism under the General Data Protection Regulation (GDPR), have morphed into a formidable strategic weapon in workplace disputes. Since the implementation of the GDPR in May 2018, Article 15 has granted individuals the right to obtain from a data controller confirmation as to whether personal data concerning them is being processed, and where that is the case, access to that data. While the original intent of the European legislature was to empower citizens to monitor the lawfulness of data processing, the practical application within the employer-employee relationship has shifted toward pre-litigation discovery and settlement leverage.
This shift has been accelerated by a recent landmark decision from the European Court of Justice (ECJ), which clarified that the motive behind a DSAR is largely irrelevant to its validity. As long as a request is not "manifestly unfounded or excessive," employers are generally obligated to comply, even if the employee’s primary goal is to gather evidence for a wrongful dismissal claim or to pressure the company into a higher severance package. Across the European Union and the United Kingdom, the response to this trend varies, reflecting a complex tapestry of national jurisprudence and regulatory oversight.
The European Court of Justice and the Threshold of Abuse
The recent ruling by the ECJ has set a high bar for what constitutes an "abusive" request. The court emphasized that the right of access is a fundamental component of the right to data protection. Consequently, the burden of proof rests entirely on the data controller—the employer—to demonstrate that a request is truly excessive. The ECJ clarified that the mere fact that a request is burdensome, or that it is being used in the context of a legal dispute, does not grant an employer the right to refuse it.
This decision serves as a pivotal point in the chronology of European data privacy. Previously, some national courts had attempted to limit DSARs when they were clearly being used as "fishing expeditions" for litigation. The ECJ’s stance, however, reinforces the subject-friendly nature of the GDPR, signaling to employers that they must maintain robust data management systems capable of handling broad requests at any time, regardless of the underlying interpersonal or legal conflict.
Belgium: A Rising Trend in Termination Disputes
In Belgium, the use of DSARs is increasingly becoming a standard component of the "exit strategy" for employees facing termination. While the volume of requests has not yet reached the "flood" levels seen in other jurisdictions, legal experts note a steady rise in requests aimed at uncovering evidence of unreasonable or discriminatory dismissal.
The Belgian Data Protection Authority (DPA) has adopted a rigorous stance toward employers. In several rulings, the Belgian DPA has clarified that a request may only be deemed excessive if the primary intent is to harm the employer’s interests. Conflictual relationships, which are common during termination, are not considered sufficient grounds for refusal. This has forced Belgian companies to be more meticulous in their internal documentation, knowing that any internal email discussing an employee’s performance or personality could eventually be disclosed through a DSAR.
France: The Battle Over Email Access and Proportionality
France has seen a systematic adoption of DSARs in nearly all types of employment litigation. The strategy has become so prevalent that in-house privacy specialists have raised alarms regarding the "excessive amount of resources" required to fulfill these requests. The core of the conflict in France often centers on access to professional emails.
The French Data Protection Authority (CNIL) has issued detailed guidelines to help employers find a balance between the employee’s right of access and the protection of third-party rights or trade secrets. However, the French judiciary remains divided. Some courts maintain that the right of access is absolute and independent of the requester’s motive. Other courts have attempted to narrow the scope, particularly when DSARs are used as a surrogate for judicial discovery rules, which are generally more restrictive in France than in common-law jurisdictions. This inconsistency has created a precarious environment for French HR departments, who must navigate conflicting legal signals when deciding how much data to redact or withhold.
Germany: "Severance Poker" and Strategic Litigation
In the German market, DSARs have evolved into a tactical tool often referred to in legal circles as "severance poker." Employees and their legal counsel frequently deploy broad data requests to exert maximum pressure on employers during settlement negotiations. By demanding access to all processed data, including internal communications and performance reviews, employees can create a significant administrative and financial burden for the company, often leading the employer to offer a higher severance payment to make the DSAR "go away."
German labor courts have seen cases where DSARs were used to construct compensation claims under Article 82 of the GDPR, which allows for damages in the event of data protection violations. While there is no uniform line of case law, some German courts have been remarkably subject-friendly, awarding damages for even minor procedural delays or incomplete disclosures. Legal analysts suggest that while the recent ECJ ruling may lead to more scrutiny of these practices, the threshold for proving "abuse" remains so high that German employers will likely continue to face these challenges for the foreseeable future.
Ireland: The Rigor of the Data Protection Commission
Ireland, as the European headquarters for many global technology firms, has a particularly sophisticated DSAR environment. Irish employers are witnessing a surge in DSARs used during grievance escalations and pre-litigation positioning. The Irish Data Protection Commission (DPC) has been vocal in its stance: DSARs must be processed promptly and cannot be deprioritized due to ongoing litigation.
The DPC has consistently ruled that "poor data mapping" or "fragmented HR systems" are not valid excuses for delays. This has placed Irish employers under significant pressure to modernize their data governance. The DPC’s decisions emphasize that the right of access is a standalone right. Even if an employer is already providing documents through a legal discovery process, they must still fulfill the DSAR independently, often within a tighter one-month timeframe. This "dual-track" disclosure requirement makes the Irish landscape one of the most demanding for employers in the EU.
The Netherlands: Financial Consequences and Identification Hurdles
In the Netherlands, public awareness of GDPR rights is exceptionally high. In 2025, the Dutch Data Protection Authority (AP) reported receiving over 13,000 complaints and notifications, nearly double the figures from 2024. This surge reflects a growing "rights culture" among Dutch employees.
A significant development in the Netherlands involves the administrative hurdles employers sometimes place in front of requesters. A notable case involving DPG Media highlighted the risks of over-complicating the DSAR process. The company required individuals to provide copies of their ID to verify their identity, even when other, less intrusive means were available. The Dutch AP ruled this was a violation of the GDPR’s obligation to facilitate the exercise of data rights, resulting in a fine of EUR 262,500. This case serves as a stark warning to Dutch employers that any perceived "obstruction" of a DSAR can lead to substantial financial penalties.
Poland and the United Kingdom: Divergent Paths
In Poland, the use of DSARs in employment remains relatively nascent. The Polish Data Protection Authority has not yet issued definitive rulings on their use in labor disputes, though observers expect the trend to eventually migrate eastward as Polish employees become more aware of the tactical advantages utilized by their Western European counterparts.
Conversely, the United Kingdom is at a crossroads. While the UK currently follows a "UK GDPR" framework nearly identical to the EU’s, legislative efforts have sought to ease the burden on employers. The proposed Data Protection and Digital Information Bill—often associated with the "European Omnibus Package" context—aims to allow employers to refuse "vexatious" requests or those made in "bad faith." If passed, this would mark a significant departure from the ECJ’s current trajectory and could make the UK a more employer-friendly jurisdiction regarding data disclosure.
The Impact of Artificial Intelligence and Modern Work Tools
The nature of the data being requested is also evolving. In the UK and other tech-forward jurisdictions, the rise of Artificial Intelligence (AI) has introduced new complexities. Outputs from tools like Microsoft Co-Pilot, AI-generated meeting transcripts, and automated sentiment analysis are now being caught in the net of DSARs.
Employers are finding that transcripts of "private" investigation meetings, recorded via AI note-takers, are fully disclosable if they contain personal data. This has led to a "privacy by design" movement within HR, where managers are being trained to assume that every digital interaction could one day be exported and handed to the employee. Furthermore, the use of AI by employees to generate broad, complex DSARs—and by employers to process them—is creating an "AI arms race" that complicates the assessment of what is a "proportionate" search.
Implications for the Future of Workplace Privacy
The enrichment of DSARs as a litigation tool suggests a permanent shift in the power dynamics of the workplace. Employers can no longer view data protection as a back-office compliance issue; it is now a front-line legal strategy. The costs of compliance are rising, not just in terms of legal fees, but in the "hidden" costs of administrative time and the potential for reputational damage.
To mitigate these risks, organizations are being advised to implement "mature, defensible processes." This includes proactive data mapping, clear policies on the use of recording technology, and specialized training for HR staff on the nuances of redaction. As the ECJ continues to prioritize the rights of the individual, the era of the "simple" transparency tool is over, replaced by a complex legal instrument that requires precision, speed, and a deep understanding of the evolving European judicial landscape.
