ECJ Says 1st GDPR Access Request Can Be Excessive Under Article 12(5)

1 articles · Updated · Employment Law Worldview · May 26

The EU court said even a first data subject access request can be rejected as “excessive” if a controller proves it was filed abusively to manufacture a GDPR-based advantage.
Article 12(5) must be read in its ordinary meaning, the ECJ said, but using that exception requires a strict evidential showing of both objective abuse and the requester’s intent.
The ruling arose from a German case in which a person signed up for an optician’s newsletter, filed a DSAR 13 days later, then sought compensation after refusal; public records suggested similar tactics with other controllers.
For employers, the judgment offers only limited help: the court’s abuse indicators may be harder to apply when dismissed workers use DSARs while preparing unfair-dismissal or discrimination claims.
National data protection authorities will now shape how far the ruling reaches, especially in employment disputes where DSARs have become a common litigation tool.

Has the ECJ created a new legal battleground over a data subject’s private motives?

Will proving a DSAR is abusive ultimately cost companies more than simply complying with it?