The landscape of European employment law is currently undergoing a significant transformation, driven by the strategic deployment of Data Subject Access Requests (DSARs). Originally conceived as a fundamental transparency mechanism under Article 15 of the General Data Protection Regulation (GDPR), the DSAR has evolved into a potent tactical instrument in the hands of employees and their legal counsel. A recent landmark ruling by the European Court of Justice (ECJ) has further solidified this trend, clarifying that the underlying motive of a request—even if aimed at gaining leverage in a legal dispute—does not inherently invalidate the data subject’s right to access. This decision has sent ripples across the European Union and the United Kingdom, forcing organizations to re-evaluate their data governance and litigation strategies.
As digital footprints expand and workplace monitoring becomes more sophisticated, the volume of personal data held by employers has grown exponentially. This data, ranging from internal performance reviews and Slack messages to AI-generated transcripts and metadata, has become a goldmine for those seeking to challenge terminations, negotiate severance packages, or uncover evidence of discrimination. The following analysis examines the specific jurisdictional trends across Europe, the impact of the ECJ’s guidance, and the emerging challenges posed by artificial intelligence in the realm of data privacy.
The ECJ Ruling and the High Threshold for Refusal
The recent jurisprudence from the European Court of Justice has underscored a critical principle: the right of access is nearly absolute. The court’s clarification on "excessive" or "abusive" requests has established a high evidentiary burden for employers. To refuse a request, a data controller must prove that the application is not merely burdensome or annoying, but is specifically intended to harm the employer’s interests or represents a clear abuse of the legal process.
This shift has neutralized one of the primary defenses used by companies: the argument that a DSAR is a "fishing expedition" for litigation. The ECJ has essentially ruled that the purpose of the request is irrelevant to its validity. If the data exists and belongs to the subject, the employer must provide it, regardless of whether the employee intends to use that data to sue for wrongful dismissal.
Belgium: A Measured Rise in Tactical Requests
In Belgium, the use of DSARs as a precursor to litigation is on a steady, albeit modest, upward trajectory. Legal practitioners note that requests are increasingly used to gather information for potential claims regarding unreasonable or discriminatory termination. In many instances, the DSAR serves as a pressure tactic, signaling to the employer that the former employee is prepared for a protracted legal battle, thereby incentivizing a more favorable settlement agreement.
The Belgian Data Protection Authority (DPA) has adopted a balanced but strict approach. While it has occasionally ruled on the excessive nature of successive requests, it generally favors the data subject. The Belgian DPA has clarified that a conflictual relationship between the parties is insufficient grounds for refusal. An employer must demonstrate a malicious intent to harm before they can legally ignore a request, a threshold that remains difficult to meet in standard employment disputes.
France: Litigation Strategy and the CNIL Guidelines
The French legal environment has seen a systematic integration of DSARs into employment litigation. The practice has become so prevalent that in-house privacy specialists and HR departments have expressed concern over the "disproportionate" resources required to fulfill broad requests. In response, the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data regulator, has issued comprehensive guidelines to help employers navigate these requests.
These guidelines provide a framework for balancing the employee’s right to access with the employer’s operational capacity, particularly regarding personal data buried within corporate email systems. Despite these guidelines, French courts remain divided. Some chambers of the French judiciary uphold an absolute right to access regardless of purpose, while others have attempted to limit the scope of what an employee can demand during active litigation. This inconsistency creates a complex landscape for multinational firms operating in France, necessitating a case-by-case strategy.
Germany: High Stakes and Severance Negotiations
In Germany, the DSAR has moved from a fringe privacy right to a standard tool in the employment lawyer’s toolkit. It is frequently used to exert maximum pressure on companies to secure higher severance payments. German labor courts have seen instances where individuals appear to target companies under false pretenses, only to follow up with a broad DSAR upon rejection of their initial claims.
The German judiciary has shown a notable "data subject-friendly" bias in several recent cases, with some courts awarding significant damages for delayed or incomplete DSAR responses. While the recent ECJ ruling encourages a more critical look at abusive practices, the burden of proof remains firmly on the employer. In the German context, failing to provide a timely and comprehensive response is increasingly seen by labor courts as a breach of the employee’s fundamental rights, often resulting in direct financial penalties.
Ireland: The Proactive Stance of the DPC
Ireland, as a major hub for multinational technology and pharmaceutical firms, has become a frontline for DSAR evolution. The Irish Data Protection Commission (DPC) has observed that DSARs are now routinely deployed during grievance escalations and pre-litigation positioning. The sophistication of these requests is increasing, with employees often targeting specific HR systems and internal communication platforms.
The DPC has been vocal in its stance: a dispute does not grant an employer the right to deprioritize a DSAR. The commission has explicitly stated that delays caused by fragmented HR systems or poor data mapping are not valid excuses for non-compliance. For Irish employers, the message is that the "litigation privilege" defense is often narrower than they assume, and a failure to have a mature, defensible data retrieval process can lead to severe regulatory scrutiny.
The Netherlands: Increasing Complaints and Heavy Fines
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) has reported a staggering increase in GDPR-related complaints. In 2025, the AP received over 13,000 complaints and notifications, nearly doubling the 7,100 reported in 2024. This surge reflects a heightened awareness among Dutch citizens—and employees—of their digital rights.
A landmark case involving DPG Media serves as a stark warning for Dutch employers. The company attempted to verify the identity of those submitting DSARs by requiring copies of their ID cards. The AP, and later the Council of State, ruled that this was an unnecessary barrier to exercising GDPR rights. The resulting fine of EUR 262,500 underscores the financial risks of non-compliance. While this case was not strictly an employment matter, the precedent applies: employers must facilitate access as seamlessly as possible, and any perceived obstruction can lead to heavy administrative fines.
Poland and the United Kingdom: Emerging Trends and Legislative Shifts
While Poland has yet to see DSARs become a dominant theme in employment law, the regional trend suggests that it is only a matter of time before the Polish DPA is forced to rule on their use in litigation contexts.
Conversely, the United Kingdom is at a crossroads. For years, UK employers have pushed for legislative relief from "vexatious" or "excessive" DSARs. Proposed amendments under the European Omnibus Package and various iterations of UK data reform bills have sought to allow employers to charge fees or refuse requests that "abuse" the spirit of the GDPR.
Furthermore, the UK is seeing a unique trend: the impact of Artificial Intelligence on the DSAR process. Employees are increasingly using AI tools to draft exhaustive requests, while employers are finding that AI-driven productivity tools, such as Microsoft Copilot, are generating data that was never intended for disclosure. For instance, AI-generated summaries of internal meetings or transcripts of sensitive HR discussions are now being captured in DSAR outputs, creating new risks for confidentiality and internal privilege.
The Future Landscape: Data Mapping and AI Challenges
The convergence of the ECJ’s ruling and the rise of digital workplace tools has created a "perfect storm" for HR and legal departments. The implications are clear: organizations can no longer afford to treat DSARs as a secondary administrative task.
- The Necessity of Data Mapping: Companies must invest in robust data mapping to ensure they can identify and retrieve personal data across disparate systems—from legacy servers to modern cloud-based collaboration tools—within the statutory 30-day window.
- Proportionality and Search Parameters: While the right to access is broad, it is not infinite. Employers must develop defensible methodologies for "reasonable and proportionate" searches, including setting appropriate date parameters and identifying relevant custodians to avoid being overwhelmed by irrelevant data.
- The AI Double-Edged Sword: While AI can help employers search and redact data more efficiently, it also creates more data to be searched. The recording of virtual meetings and the automated transcription of calls mean that every word spoken in a professional context is potentially discoverable.
- Strategic Legal Advice: Given the high threshold for refusing requests and the varying interpretations across European courts, early involvement of legal counsel is essential. A poorly handled DSAR can provide an adversary with the "smoking gun" they need for a successful claim, or it can lead to a standalone fine from a data regulator.
As Europe moves toward more stringent enforcement of privacy rights, the DSAR will remain a central feature of the employment relationship. The shift from a transparency tool to a litigation tactic is complete; for employers, the challenge now lies in operationalizing compliance to mitigate the risks of this new reality.
