When is a data subject access request abusive?
If you deal with data subject access requests (DSARs), have you ever had one land on your desk and then done some research about the data subject and their track record for raising DSARs?
I suspect not, but that is what a family run opticians, Brillen Rottler based in Germany, did and what they found led them to refuse the request on the basis it was abusive even though:
- It was the first DSAR this data subject had submitted to Brillen.
- Brillen only held a small amount of personal data about the data subject.
Article 15 of the GDPR (and the UK GDPR) grants data subjects the right to make a data subject access request (DSAR) to obtain confirmation from a controller whether their personal data is being processed and, if so, access to that data along with various supplementary information. However, a controller may refuse to act on a DSAR if the request is “manifestly unfounded” or “excessive”.
Brillen came to the conclusion that the DSAR received was abusive because during its research it found various reports showing that the data subject in question made a habit of subscribing to company newsletters, submitting DSARs and then claiming compensation for breach of the GDPR. In Brillen’s case, the data subject subscribed to Brillen’s newsletter via a registration form on its website, sent a DSAR to Brillen less than 2 weeks later and then claimed compensation for breach of the GDPR. Brillen brought court proceedings seeking a declaration that no compensation was owed and the data subject counterclaimed.
The German court hearing the dispute asked the EU Court of Justice:
- Whether a first request made by a data subject to a controller for access to their personal data may be regarded as ‘excessive’.
- Whether that data subject is entitled to compensation for the damage resulting from an infringement of the right of access.
The Court of Justice said:
- Yes, a first request for access may be considered excessive and therefore abusive and validly refused if its sole purpose is to artificially create a situation whereby the data subject can subsequently claim compensation for an alleged infringement of the GDPR. This is because the true purpose of a DSAR is to allow a data subject to be made aware of the processing of their personal data and verify the lawfulness of that processing.
- The fact that, according to publicly available information, a data subject has made a large number of requests for access to their personal data, followed by claims for compensation to various controllers may be taken into consideration for the purpose of establishing the existence of an abusive intention. Other relevant circumstances include the fact that the data subject provided personal data without being obliged to do so and the length of time between the provision of the personal data and the DSAR.
- To claim compensation, a data subject must demonstrate they have actually suffered damage. EU law cannot be relied upon for abusive or fraudulent ends so a data subject cannot receive compensation for damage under the GDPR if their own conduct is the determining cause of the damage.
Practical implications
The facts of this case are very specific (and relate to the EU not the UK GDPR) so it does not create a wide right for controllers to refuse to deal with DSARs. As always, requests need to be considered on a case by case basis and justification will be needed for any refusal and the threshold for proving abusive intention remains high. However, controllers may wish to consider updating their DSAR response processes to include early consideration of potential abuse of rights and to document their findings.
Want to read more?
Brillen Rottler (Case C‑526/24)
__________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
