The European Court of Justice (ECJ) recently issued a landmark ruling regarding Data Subject Access Requests (DSARs) that has sent ripples through the human resources and legal departments of organizations across the continent. This decision, which clarifies the definition of "excessive" requests and the motivations behind them, comes at a time when the use of DSARs has shifted from a tool of transparency to a strategic maneuver in employment litigation. As the General Data Protection Regulation (GDPR) matures, employees are increasingly utilizing their right to access personal data as a means of discovery, leverage for severance negotiations, and a method to exert pressure on employers during contentious disputes.
Across Europe, the implementation and reception of DSARs vary significantly, reflecting diverse legal cultures and regulatory approaches. While some jurisdictions see a surge in sophisticated, AI-driven requests, others remain in the early stages of navigating this complex intersection of privacy and labor law. The recent jurisprudence from the ECJ reinforces the principle that the right of access is nearly absolute, placing a heavy burden of proof on employers who seek to deny requests on the grounds of abuse or excessive burden.
The European Court of Justice and the Burden of Proof
The core of the recent legal debate centers on Article 15 of the GDPR, which grants individuals the right to obtain a copy of their personal data from a controller. Historically, employers have argued that requests made solely for the purpose of gathering evidence for litigation—rather than for checking the accuracy of data processing—should be considered an "abuse of rights." However, the ECJ has consistently moved toward a "purpose-blind" interpretation of the GDPR.
The latest findings suggest that a data controller cannot dismiss a first-time DSAR as abusive simply because it is burdensome, costly to fulfill, or clearly linked to an ongoing employment dispute. The court emphasizes that the right of access is fundamental to the protection of privacy. Consequently, the threshold for a request to be deemed "manifestly unfounded or excessive" under Article 12(5) remains exceptionally high. The burden of proving such excessiveness lies entirely with the employer, a task that has proven difficult in almost every European jurisdiction.
Regional Trends and the Strategic Use of Data Requests
Belgium: A Rising Trend in Termination Disputes
In Belgium, legal practitioners have noted a steady increase in DSARs, particularly in the context of "unreasonable" or discriminatory termination claims. While the volume of requests has not yet reached the levels seen in the United Kingdom or Germany, the strategic intent is clear. Employees use these requests to uncover internal communications that might suggest a predetermined decision to terminate or to find evidence of bias.
The Belgian Data Protection Authority (DPA) has maintained a strict stance toward employers. While it acknowledges that successive or repetitive requests can be excessive, it rarely rules in favor of the employer if the request is the individual’s first. The DPA has indicated that a conflictual relationship between the parties is not a valid reason for refusal. Only when an employer can demonstrate a clear intent to harm the company’s operational interests—rather than a desire to obtain data—does the DPA offer a reprieve.
France: Navigating Proportionality and Inconsistent Rulings
France has seen one of the most significant surges in DSAR activity. The practice has become so systematic that in-house privacy specialists have petitioned the Commission Nationale de l’Informatique et des Libertés (CNIL) for clearer guidance on how to manage the resource drain. In response, the CNIL has issued detailed guidelines to help controllers find a balance between the employee’s right of access and the employer’s right to protect trade secrets and the privacy of third parties.
A particular point of contention in France involves access to personal data contained within professional emails. French courts have struggled to maintain a consistent line of case law. Some tribunals have upheld an absolute right for employees to access any document containing their name, regardless of the underlying motive. Others have attempted to limit the scope in the context of active litigation, creating a complex legal landscape for HR departments to navigate.
Germany: DSARs as Leverage for Severance
In Germany, the DSAR has evolved into a standard component of the "employment dispute toolkit." It is frequently used to exert pressure during settlement negotiations, with the goal of securing higher severance payments. The administrative burden of reviewing thousands of emails and documents to redact third-party information is so high that many German companies prefer to settle a claim rather than fulfill a broad DSAR.
German labor courts have occasionally taken a "data subject-friendly" approach, even awarding damages to employees when employers fail to respond fully or within the statutory one-month timeframe. While the recent ECJ ruling may lead to more critical scrutiny of these practices, legal experts suggest it is unlikely to be a turning point. The high threshold for proving abuse remains a significant barrier for German employers.
Ireland: The Challenge of Fragmented HR Systems
The Irish Data Protection Commission (DPC) has been vocal about the strategic deployment of DSARs in grievances and pre-litigation positioning. Irish employers are finding that requests are becoming broader and more sophisticated, often testing the robustness of the company’s data governance.
The DPC has reinforced that DSARs must not be deprioritized because of an ongoing dispute. Crucially, the Irish regulator has noted that delays caused by poor data mapping or fragmented legacy HR systems are not valid excuses for failing to meet the one-month deadline. For Irish organizations, the shift necessitates a move from ad-hoc responses to mature, defensible data retrieval processes.
The Netherlands: Increasing Regulatory Oversight
The Netherlands provides a clear statistical view of the growing awareness of GDPR rights. In 2025, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) received over 13,000 complaints and notifications, nearly doubling the 7,100 reported in 2024. This surge indicates a high level of "GDPR literacy" among the Dutch workforce.
A recent landmark case involving DPG Media highlighted the risks of non-compliance. The AP fined the company €262,500 for requiring individuals to provide copies of their ID to submit a DSAR when less intrusive methods were available. While this was not an employment case, the principle applies: any barrier an employer places in the way of a DSAR can lead to significant financial penalties.
The Impact of Emerging Technologies and AI
The United Kingdom is currently at the forefront of a new challenge: the intersection of DSARs and Artificial Intelligence. The use of AI tools to both generate and respond to data requests is changing the landscape of proportionality.
AI-Generated Requests and Automated Discovery
Employees are now using AI to draft exhaustive requests that target specific date parameters, custodians, and keyword strings, making the requests more difficult to dismiss as "vague." Conversely, employers are turning to AI-assisted review (TAR) to handle the massive volumes of data. However, the use of AI introduces new categories of disclosable data.
For instance, outputs from tools like Microsoft Co-Pilot, including automated meeting summaries and transcripts, are now being captured in DSAR outputs. Employers who implemented these tools for productivity often did not anticipate that the informal "notes" generated by AI would be subject to disclosure. This has created a new frontier of risk, particularly regarding internal investigations and disciplinary meetings where AI recording tools might have been active without explicit, multi-party consent.
Legislative Shifts in the UK
The UK government has explored legislative amendments through various packages to relieve the administrative burden on employers, including the potential to refuse "vexatious" requests or charge reasonable fees. While some of these proposals have faced delays or modifications, the general direction of travel suggests a desire to prevent the GDPR from being used purely as a tool for "fishing expeditions" in litigation. However, until such laws are fully enacted and tested in court, UK employers remain subject to the same rigorous standards as their EU counterparts.
Chronology of the DSAR Evolution
- May 2018: GDPR comes into force, establishing the right of access under Article 15.
- 2019-2021: Initial wave of DSARs; mostly consumer-focused with limited employment-related usage.
- 2022: Shift in strategy; legal counsel across Europe begins recommending DSARs as a pre-litigation discovery tool in employment disputes.
- 2023-2024: Rise of "excessive" claims by employers; various national DPAs (CNIL, DPC) issue specific guidance for the employment sector.
- 2025: Dutch AP reports a 100% year-over-year increase in GDPR-related complaints.
- Present: ECJ ruling confirms that the purpose of a request (including litigation) does not invalidate the right of access, cementing the DSAR’s role in labor law.
Broader Implications for Organizations
The current legal climate necessitates a fundamental shift in how businesses handle employee data. Organizations can no longer view DSAR management as a secondary administrative task; it is now a core component of risk management and litigation defense.
The financial implications are twofold. First, there is the direct cost of compliance, which often involves hundreds of hours of legal and IT review. Second, there is the risk of "procedural damages." In many jurisdictions, a failure to provide a complete and timely DSAR response can result in a court awarding damages to an employee, even if the underlying termination or grievance claim is eventually dismissed.
To mitigate these risks, experts suggest that employers implement robust data retention policies to ensure that unnecessary "chatter" in internal messaging apps is deleted according to a schedule. Furthermore, the use of AI in the workplace must be governed by strict policies regarding what is recorded and how transcripts are stored.
As the ECJ continues to prioritize individual privacy rights over corporate administrative burden, the "weaponization" of the DSAR is likely to intensify. For the modern employer, the only effective defense is a proactive approach to data governance and a sophisticated protocol for responding to requests that are no longer just about transparency, but about legal strategy.
