Can access requests be rejected on grounds of abuse?

Germany

When are companies allowed to reject requests for information by data subjects on grounds of abuse? How have the courts ruled on this so far?

The right of access under data protection law pursuant to Art. 15 General Data Protection Regulation (GDPR) is a central right which data subjects have under the GDPR. The right allows the respective data subjects to obtain information as to whether or not, to what extent and on what legal basis as well as for what purposes controllers process their personal data. Data subjects can ask companies from which they have received advertising emails, for example, about the source from which they obtained their personal data.

Since the GDPR gives every person the right to obtain information on whether or not, and if so how, their data is processed, the right which data subjects have is also used, for example, to create administrative burdens for property management companies, former employers or insurers or to obtain information which is not aimed at protecting the data subject's own data but which instead serves as preparation for potential claims against these persons.

It is extremely difficult to determine whether a request serves the purpose of the right of access under data protection law or has been made abusively for entirely different purposes. Pursuant to Recital 63 GDPR, the right of access is granted to data subjects "in order to be aware of, and verify, the lawfulness of the processing."

However, the legislative text of the GDPR specifies only a few requirements for the right of access and provides for only a few exceptions. For example, the right to obtain a copy of the data, which goes hand in hand with the right of access, must not adversely affect the rights and freedoms of others (Art. 15 (4) GDPR). In addition, Art. 12 (5) GDPR provides for restrictions on manifestly unfounded or excessive requests. However, data subjects do not have to justify their requests for information. Therefore, controllers are often unclear about the true background of the request and assume from the context that the right of access is being abused.

As far as the question of when a request for information can be rejected as unfounded, excessive or an abuse of rights is concerned, the German courts have in the past therefore tended to focus on the individual case. The further the motives behind the requests moved away from the interests protected by data protection law, the more often the requests were rejected as excessive or abusive.

Even the EU's official statements on this issue do not provide conclusive clarity on the criteria and arguments on the basis of which a request for information can be rejected. However, the Advocate General at the European Court of Justice (CJEU), Juliane Kokott, has developed pointers for the objection of abuse in data protection law. And the European Data Protection Board (EDPB) has also commented extensively in its right of access guidelines on the limitations of this right.

Overview of case law

Courts use the argument of abuse of rights primarily to establish justice in individual cases. Dogmatic explanations of Art. 15 GDPR are rather rare. The more likely it is that the party bringing the claim will use the right of access for purposes which are not related to data protection or as a means of exerting pressure, the more likely it is that the courts will reject a request for information on grounds of an abuse of rights.

The German Federal Court of Justice (BGH) recently referred the question of whether an abuse of rights precludes the right to information pursuant to Art. 15 GDPR to the CJEU (German Federal Court of Justice (BGH), order of 29 March 2022 – VI ZR 13252/20, BeckRS 2022, 9584). In its order for reference, the German Federal Court of Justice (BGH) is asking the CJEU to answer the legal question of whether there is also a right of access pursuant to Art. 15 GDPR if the data subject pursues a "purpose which is legitimate but not related to data protection". In its grounds for the question referred on goals which are not related to data protection, it proposed affirming this question: the right to access is only excluded "if the person requesting the information is pursuing objectives disapproved of by the legal system or is acting fraudulently or vexatiously" (margin no. 29). A decision by the CJEU is not expected until the end of 2023/beginning of 2024 at the earliest.

In lower courts, the decisive factor for the success of the abuse of rights objection has so far been the extent to which the court had the impression that the claimant was pursuing goals which are not related to data protection. Where the motivation is clearly not related to data protection and where Art. 15 GDPR is clearly only being misappropriated, the courts will normally reject requests for information. In cases where the motives are at least obviously not related to data protection, the chances of success have so far been 50:50. If the person requesting the information is at least alleging a motive related to data protection or if several motives are conceivable, the courts will normally affirm a right of access.

Motives which are clearly not related to data protection

The following table presents a concise overview of the facts of each case, the reason why the court established indications of an abuse of rights and whether the court awarded the claimant a right of access.

Heidelberg Regional Court, decision of 21 February 2020 – 4 O 6/19, ZD 2020, 313

Facts

The claimant was a member of the board of directors of a German stock corporation (AG) in 2010/11. He asserted a right of access with regard to email correspondence from August 2010 to November 2021.

Indications of abuse of rights

  • Large amount of personal data affected (several thousands of emails)
  • Very old emails were being requested without any apparent interest in the information (nine to ten years in each case)
  • The claimant explicitly pleaded that using Art. 15 GDPR as a form of pressure is permissible

Right of access awarded

❌(Request for information was found to be disproportionate)

Bonn Local Court, decision of 30 July 2020 – 118 C 315/19, BeckRS 2020, 19548

Facts

The claimant was requesting information about his account movements from the defendant bank.

Indications of abuse of rights

  • Express goal of preparing for legal disputes with third parties
  • Already communicated by retrieval in online banking

Right of access awarded

✅ (Pursuing goals not related to data protection is permissible)

Note: The following decisions on premium adjustments to insurance policies each concern similar sets of facts but are independent of each other (different courts and different parties).

Stuttgart Regional Court, decision of 4 November 2020 – 18 O 333/19, BeckRS 2020, 38735

Facts

The claimant was asserting a right of access against the defendant pension insurance company. The goal was to check whether she can assert a "perpetual right of withdrawal".

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌(Breach of the requirement of fairness pursuant to Article 5 (1) (a) GDPR established as the request for information was pursuing goals which are not related to data protection)

Cologne Regional Court, decision of 11 November 2020 – 23 O 172/19, BeckRS 2020, 30968

Facts

The claimant was challenging the health insurance policy entered into with the defendant on grounds of fraudulent misrepresentation. In connection with the claim for repayment of contributions, he was requesting information pursuant to Art. 15 GDPR about all personal data, in particular application and risk assessment documents.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

✅(It was established that Article 12 (5) sentence 2 GDPR does not cover general requests for information which constitute an abuse of rights; motivation for requests for information found to be irrelevant)

Wuppertal Regional Court, decision of 29 July 2021 – 4 O 409/20, ZD 2022, 53

Facts

The claimant was contesting premium adjustments by the defendant insurance company. To this end, he requested information pursuant to Article 15 GDPR on premium adjustments in 2014, 2015 and 2016 in order to be able to quantify his claim for payment.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌ (Breach of good faith pursuant to section 242 German Civil Code (BGB) established as the claimant was found to only be taking advantage of a formal legal position and to have no interest of his own worthy of protection)

Krefeld Regional Court, decision of 6 October 2021 – 2 O 448/20, BeckRS 2021, 34436

Facts

The claimant was contesting premium adjustments by the defendant insurance company. To this end, he requested information pursuant to Article 15 GDPR on premium adjustments in the years 2011 to 2020 in order to be able to quantify his claim for payment.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌ (Claimant was found to be pursuing goals not related to data protection)

Berlin Brandenburg Tax Court, decision of 27 October 2021 – 16 K 5148/20, BeckRS 2021, 47455

Facts

The claimant was requesting a copy of all documents concerning his trade tax assessment amounts for the years 2013 to 2015 from the competent tax office.

Indications of abuse of rights

The trade tax assessment amounts 2013 to 2015 were already the subject of different proceedings with the same claimant. He had originally asserted this claim for information in the other proceedings.

Right of access awarded

❌ (A right of refusal pursuant to Article 12 (5) sentence 2 (b) GDPR, which also covers abusive requests, was established; the claimant was found to be pursuing goals not related to data protection)

Detmold Regional Court, decision of 26 October 2021 – 02 O 108/21, BeckRS 2021, 34230

Facts

The claimant was contesting premium adjustments by the defendant insurance company. To this end, he requested information pursuant to Article 15 GDPR on premium adjustments in the years 2009 to 2017 in order to be able to quantify his claim for payment.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌ (Breach of good faith pursuant to section 242 German Civil Code (BGB) had to be affirmed as the claimant was found to only be taking advantage of a formal legal position and to have no interest of his own worthy of protection)

Hamm Higher Regional Court, decision of 15 November 2021 – 20 U 269/21, BeckRS 2021, 40312

Note: The previous instance was Bochum Regional Court, decision of 15 July 2020 – 4 O 215/20

Facts

The claimant was contesting premium adjustments by the defendant insurance company. To this end, he requested information pursuant to Article 15 GDPR on premium adjustments during the contractual term in order to be able to quantify his claim for payment.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌ (A right of refusal pursuant to Article 12 (5) sentence 2 (b) GDPR, which also covers abusive requests, was established; the claimant was found to be pursuing goals not related to data protection)

Paderborn Regional Court, decision of 15 December 2021 – 4 O 275/21

Facts

The claimant has private health insurance with the defendant. He was requesting information about the insurance records since 2010 from the defendant in order to prove that the premium increases by the defendant were ineffective.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌ (It was established that the defendant had a right to refuse information pursuant to Art. 12 (5) sentence 2 (b) GDPR as Recital 63 GDPR grants the right of access exclusively for the purpose of verifying the lawfulness of the processing)

Weiden Regional Court, decision of 15 December 2021 – 21 O 447/21 Ver, juris

Facts

The claimant has private health insurance with the defendant. He was requesting information on all premium adjustments made by the defendant in the years 2012 to 2020 as he was of the opinion that an ineffective premium adjustment had been made.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌(It was established that the defendant had right of refusal pursuant to Art. 12 (5) sentence 2 (b) GDPR as Art. 15 GDPR does not allow goals which are not related to data protection to be pursued if these do not consist in verifying the lawfulness of the processing)

Berlin Regional Court, decision of 21 December 2021 – 4 O 381/20, BeckRS 2021, 40428

Facts

The claimant was contesting premium adjustments by the defendant insurance company. To this end, he requested information pursuant to Article 15 GDPR on premium adjustments in the years 2011 to 2015 in order to be able to quantify his claim for payment.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌ (The court held that the intention of Art. 15 GDPR is not to reverse the burden of presentation and proof of German civil procedural law)

Essen Regional Court, decision of 23 February 2022 – 18 O 204/21

Facts

The claimant has private health/nursing care insurance with the defendant. The claimant was of the opinion that his contributions had been wrongly adjusted several times in the past and that he was therefore entitled to a claim for repayment against the defendant.As he did not have it himself, he was requesting the complete insurance documentation from the defendant in order to quantify the claims.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌(A right of refusal pursuant to Art. 12 (5) sentence 2 (b) GDPR was established because a formal legal position was being asserted without the claimant having a claim of his own worthy of protection; it was established that his intention was not to verify the lawfulness of the processing. Instead he was found to be pursuing claims for payment; requests which are not related to data protection law are not worthy of protection)

Nuremberg Higher Regional Court, decision of 14 March 2022 – 8 U 2907/21, BeckRS 2022, 7415

Facts

The claimant was contesting premium adjustments by the defendant insurance company. To this end, he requested information pursuant to Article 15 GDPR on premium adjustments in the years 2013 to 2016 in order to be able to quantify his claim for payment.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌ (A right of refusal pursuant to Article 12 (5) sentence 2 (b) GDPR, which also covers abusive requests, was established; the claimant was found to be pursuing goals not related to data protection)

Dresden Higher Regional Court, decision of 29 March 2022 – 4 U 1905/21,juris

Facts

The claimant was contesting premium adjustments by the defendant insurance company. To this end, he requested information pursuant to Article 15 GDPR on premium adjustments in the years 2011 to 2016 in order to be able to quantify his claim for payment.

Indications of abuse of rights

The express goal was to prepare for a claim for payment

Right of access awarded

❌(The court found that the right of access could not be based on the GDPR; the claimant had not pleaded that he was concerned with whether the processing was lawful)

Cologne Higher Regional Court, decision of 13 May 2022 – 20 U 295/21

Facts

The claimant was contesting premium adjustments by the defendant insurance company. In this context, he requested information pursuant to Article 15 GDPR on premium adjustments in the years 2011 to 2016.

Indications of abuse of rights

Preparation for pecuniary claims

Right of access awarded

(Whether information is already known to the claimant is irrelevant; no violation of section 242 German Civil Code (BGB) even if the claimant is not concerned with the protection of his data but with preparing for pecuniary claims since the reduction of information asymmetry can also be a legitimate goal and it can hardly be ruled out that the claimant is at least also concerned with the protection of his data; no possibility of refusal pursuant to Art. 12 (5) sentence 2 GDPR even if the claimant is not solely concerned with protecting his rights under the GDPR because there was neither harassment nor requests for information at short intervals)

Obvious motives which are not related to data protection

Neumünster Labour Court, decision of 11 August 2020 - 1 Ca 247 c/20, BeckRS 2020, 29998

Facts

The claimant was requesting information pursuant to Art. 15 GDPR in the context of an action for unfair dismissal.

Indications of abuse of rights

Possibly a way of exerting pressure to achieve a higher severance payment (however, information provided before ruling on action for protection against dismissal)

Right of access awarded

✅ (No breach of the principle of fairness pursuant to Art. 5 (1) (a) GDPR established as it is permissible to pursue goals which are not related to data protection; no direct connection to the request for compensation)

Kerpen Local Court, decision of 22 December 2020 – 106 C 96/20, ZD 2021, 325

Facts

The claimant was requesting information about her personal data at the defendant who was her former employer. The defendant had promised the claimant a retirement pension for life which is the subject of other civil proceedings.

Indications of abuse of rights

Obvious that the information obtained would be used in the other civil proceedings

Right of access awarded

✅ (Pursuing goals not related to data protection as a secondary goal is permissible)

Frankenthal Regional Court, decision of 12 January 2021 – 1 HK O 4/19, BeckRS 2021, 42552

Facts

The person requesting information served as a member of the board of directors of the controller from 2009 to 2018. The controller was bringing an action against him on grounds of D&O liability under German stock corporation law. The person requesting the information was asserting a right of access pursuant to Art. 15 GDPR to email correspondence from the period between 2015 and 2018.

Indications of abuse of rights

Large amount of personal data affected (75,000 emails in the counterclaimant's mailbox alone); no specification of the request for information despite repeated instructions to this effect; obvious goal was to prepare his defence in the main action and delay the liability proceedings against the claimant

Right of access awarded

❌(Art. 15 GDPR does not allow goals to be pursued which are not related to data protection and does not permit extensive fishing expeditions like US civil procedure law)

Saxony Higher Labour Court, decision of 17 February 2021 – 2 Sa 63/20, BeckRS 2021, 29212

Facts

The claimant was employed by the defendant as head of financial accounting from 2017 to 2019. He was bringing a claim for payment for overtime and a claim for information about the data stored about his performance and conduct.

Indications of abuse of rights

The obvious goal was to prepare the claim for payment for overtime

Right of access awarded

❌(Art. 15 GDPR does not allow goals to be pursued which are not related to data protection and does not intend to circumvent the German burden of presentation and proof)

Saxony Higher Labour Court, decision of 10 June 2021 – 9 Sa 861/20, BeckRS 2021, 32421

Note: Parallel decision of Hesse Higher Labour Court, decision of 10 June 2021 – 9 Sa 1413/19

Facts

The claimant was employed at the defendant retail company. The defendant terminated the employment relationship on grounds of allegations of fraud (the action for unfair dismissal was dismissed with final and binding effect).

Indications of abuse of rights

Obvious that information would be used for parallel criminal proceedings

Right of access awarded

✅(It was established that the claimant was not breaching the principles of good faith pursuant to section 242 German Civil Code (BGB) since pursuing goals not related to data protection is also permissible; blanking out information conceivable at most)

Pankow Local Court, decision of 28 March 2022 – 4 C 199/21, rewis.io

Facts

The claimant was requesting compensation for the defendant not having provided complete information about the video recording of the surveillance camera in the S-Bahn (German suburban regional train).

Indications of abuse of rights

No recognisable interest in verifying the lawfulness of processing (the court held that, for this, the information provided relating to purpose, storage period, etc. would be sufficient)

Right of access awarded

❌(Excessive expense and effort pursuant to section 275 (2) German Civil Code (BGB))

No overriding motive not related to data protection

Munich Local Court, decision of 4 September 2019 – 155 C 1510/18, BeckRS 2019, 23247

Facts

The claimant was requesting information about collection costs in earlier civil proceedings with the defendant.

Indications of abuse of rights

Collection costs had already been communicated to the claimant in the earlier civil proceedings

Right of access awarded

✅(No interest in legal protection necessary)

Münster Higher Administrative Court, decision of 8 June 2021 – 16 A 1582/20, BeckRS 2021, 13156

Facts

The claimant was an examination candidate who was requesting information about his examination file from the defendant which was the State Law Examination Board (Landesjustizprüfungsamt).

Indications of abuse of rights

Size of the examination file was 348 pages

Right of access awarded

✅(Art. 12 (5) sentence 2 GDPR only covers excessive requests, copying a clearly defined number of pages (348) was found not to be sufficient to constitute an excessive request; harassment, at most, would be covered)

Wiesbaden Regional Court, decision of 30 September 2021 – 3 S 50/21, BeckRS 2021, 29228

Facts

The claimant entered into a tenancy agreement with the defendant as private landlord. In the course of an eviction dispute, he asserted a right of access pursuant to Art. 15 GDPR.

Indications of abuse of rights

Connection with eviction dispute

Right of access awarded

✅(No reliable indications of abuse of rights were established; lack of clarity about the scope of data processing as a legitimate interest was found to definitely be sufficient)

Lower Saxony Higher Labour Court, decision of 22 October 2021 – 16 Sa 761/20, BeckRS 2021, 32008

Facts

The claimant worked as a plant manager at the defendant which is part of an automobile group. In the course of the "diesel affair", the defendant dismissed him on grounds of a breach of duty which he denied. The claimant filed an action for unfair dismissal. He asserted a right of access to certain documents in connection with the "diesel affair".

Indications of abuse of rights

Close connection to action for unfair dismissal (however, verification of lawfulness of data transfer to the USA cited as alleged motive)

Right of access awarded

✅(Requirements for the objection pursuant to Art. 12 (5) sentence 2 (b) GDPR were found not to be met; use for the purpose of verifying the lawfulness was found to be possible)

Opinion of Advocate General Kokott in the Nowak case

The Opinion of Advocate General Kokott in the Nowak case (C‑434/16) delivered on 20 July 2017 brings some clarity to the interpretation of the abuse of rights objection in the context of Art. 15 GDPR which has been handled very differently by the courts. In the legal dispute, the claimant had been accused of abusing his right of access. In this regard, the Advocate General clarified that it is not permitted to improperly or fraudulently take advantage of provisions of EU law. For the presumption of an abusive practice a combination of objective and subjective elements is necessary:

"A finding of an abusive practice requires a combination of objective and subjective elements. First, with regard to the objective element, such a finding requires that it must be apparent from a combination of objective circumstances that, despite formal observance of the conditions laid down by EU rules, the purpose of those rules has not been achieved. Second, such a finding requires a subjective element, namely that it must be apparent from a number of objective factors that the essential aim of the transactions concerned is to obtain an undue advantage. The prohibition of abuse is not relevant where the activity carried out may have some explanation other than the mere attainment of an (undue) advantage."

However, mere access to information to which there would otherwise be no access does not constitute an undue advantage.

With regard to the GDPR, which was not yet applicable at that time, the Advocate General also stated that the GDPR contains clearly standardised exceptions to and restrictions of the right of access, which would finally resolve the problem. However, the standardised restrictions, e.g. in Art. 15 (4) GDPR, are of no assistance where rights of access are being abused. Instead, the basis for an objection of abuse can be found in Art. 12 (5) sentence 2 second alternative GDPR. Precise criteria for the ground for refusal are not listed here though. In this respect, recourse can continue to be taken to the objective and subjective criteria established by the Advocate General for determining that a right of access is being abused.

A further finding of the Advocate General, which she used to deny that the claimant had sought an undue advantage, can also still be used. The Advocate General stated with regard to the information sought on examination-related services that it was not apparent what the undue advantage was if the right of access was being pursued with the aim of gaining insight into one's own data.

"If there were already access to personal information, the introduction of a right of access under data protection law would not have been required. It is instead the task of the right to access under data protection legislation to make available to the person concerned [...] access to his own data, where otherwise no right of access exists."

This idea can be made fruitful as a counterargument if the accusation is made that the right of access is being exercised abusively in order to gain access to data that served to prepare for a further-reaching claim.

EDPB: reasons for requesting data protection information not necessary

Detailed criteria for the objection of abuse are also contained in the EDPB's "Guidelines 01/2022 on data subject rights - Right of access" from January 2022. These set out clear requirements that partly contradict the lines of decision taken previously by the German courts.

In this context, the limits of the right of access, taking account of Art. 12 (5) GDPR, are particularly relevant. In this regard, the EDPB first states that the exclusions in Art. 12 (5) GDPR must be interpreted narrowly so that the principles of transparency and cost free data subject rights are not undermined (margin no. 173). It states that, in particular, there is no requirement to give reasons or to justify the request separately (margin no. 165). A decision as to whether a request is abusive or not always also requires reasoned consideration on a case by case basis (margin no. 174). The EDPB tries to approach the alternative criteria of "manifest unfoundedness" and "excessive" filing of requests by means of abstract criteria and concrete examples.

"Manifestly unfounded" to be determined on a case by case basis

There is only very limited scope for relying on the first refusal alternative in Art. 12 (5) sentence 2 GDPR of manifest unfoundedness (margin no. 175). However, the guidelines do not contain precise criteria or concrete examples of when the requirements for this refusal alternative are met.

In any case, controllers should not presume that a request is manifestly unfounded merely because the data subject has previously submitted requests which have been manifestly unfounded or excessive or because the request includes unobjective or improper language (margin no. 178). Consideration of each request separately on a case by case basis is always necessary.

Overall, it seems that hardly any constellations are conceivable in which this ground for refusal could be applied. In the EDPB's view, this alternative is therefore likely to be relevant in practice only very rarely.

Requests for information can be "excessive" if they are made at short intervals or relate to information that is already known

The second alternative of Art. 12 (5) sentence 2 GDPR is the one which is more relevant. This allows controllers to refuse to provide information in the case of "excessive" requests, "in particular because of their repetitive character", or to make the provision of information dependent on the payment of a reasonable fee.

For example, where the time interval between two requests is shorter than what can be considered reasonable could be an indication of the excessive nature of a request (margin no. 181). A request for information could also be considered excessive if it refers to exactly the same information that has already been provided (margin no. 183). If, on the other hand, controllers are confronted with requests which would require a vast amount of time and effort, this is regularly not sufficient for the request to be considered excessive (margin no. 186). The fact that it is possible to provide the information easily, especially by electronic means, also argues against the admissibility of the objection of an abuse of rights (margin no. 184).

For repeated requests for information, the EDPB gives further criteria and examples to help controllers to assess whether a repeated request for information is excessive (margin no. 183).

These criteria are:

  • expected alterations to the dataset,
  • the category of data concerned and its sensitivity,
  • the purpose of the processing and, in particular, whether the data subject would suffer harm if the data processed were disclosed, and
  • repeatedly requesting the same information that is already available to the data subject on the basis of previous requests.

As an example, the guidelines mention a repeated request concerning the same information at an interval of two months to a carpenter who manufactured a table for the data subject (margin no. 183). In the case of the carpenter, the court held that no further alterations to the dataset could be expected as he had only collected the personal data on the occasion of the legal transaction. Processing data is also not part of his core activity and the processed data does not fall into any of the categories of personal data requiring special protection. Therefore, sending requests to this controller at intervals of two months for exactly the same information as had already been disclosed had to be considered excessive.

Requests for information other than repeated requests may also be considered excessive pursuant to Article 12 (5), sentence 2 second alternative GDPR if they are made with the intent of causing damage or harm to the controller (margin no. 186). In the EDPB's view, requests constituting an abuse of rights appear, under certain conditions, to be "excessive" requests for information pursuant to Art. 12 (5) sentence 2 second alternative GDPR.

According to the EDPB, reasons to presume that a request constitutes an abuse of rights can therefore be the following (margin no. 188):

  • an offer by the data subject to withdraw the request in return for some form of benefit from the controller; or
  • the request constitutes malicious intent and is being used to harass a controller or its employees with intent to cause expense or disruption in the course of business, evident from the fact that
    • the data subject has explicitly stated this or
    • different requests are systematically sent to the same controller as part of a kind of campaign with the aim of causing disruptions to processes.

Therefore, if a data subject making a request for information wishes to avoid having his or her request rejected on simple grounds, he or she should avoid explicitly revealing his or her intention of harassment or asking for benefits in return for withdrawing his or her request.

According to the EDPB, reasons which are not sufficient in themselves as a basis to refuse a request for information on grounds of an alleged abuse of rights, are, by contrast (margin no. 187):

  • failure of the data subject to give reasons for the request for information,
  • improper or impolite language is used in the context of the request for information or
  • an intention to use the information to be provided for further claims against the controller.

Controllers who wish to reject a request for information on grounds of abuse of the rights of data subjects under the GDPR should therefore, wherever possible, not only rely on one of the above reasons, but provide further grounds.

Finally, the EDPB guidelines make it clear that the burden of proof for refusing a request for information always lies with the controller (margin no. 191). Controllers not only have to document the refusal and their reasons for this, but must also inform the data subject of the reason for their refusal as well as of his or her right to lodge a complaint and of the possibility of seeking a judicial remedy (margin no. 191). Because an unjustified rejection constitutes an infringement of the rights of data subjects, in such cases there may also be a risk of official orders, fines (margin no. 193) or claims for compensation by the data subjects.

Fair balance of interests between the data subject and company possible on the basis of Art. 12 (5) sentence 2 GDPR

Even if the EDPB does not provide any rigid guidelines for the interpretation of the grounds for refusal in Art. 12 (5) sentence 2 GDPR, the explanations and, in particular, the criteria and examples mentioned in the guidelines provide further guidance for practice. It is to be expected that the data protection authorities will follow these guidelines, which is why the requirements set out in the guidelines should also be known by the persons requesting information and the data protection officers.

It remains to be seen whether the German courts will apply these criteria in the future. On the one hand, guidelines from the EDPB are a prominent source that will be cited in numerous proceedings. On the other hand, the courts also have the right to control authorities and not to uncritically adopt their views. So far, the more generous line taken in case law with regard to controllers definitely contradicts the EDPB's guidelines which are more favourable to data subjects.

Clarification will probably only come from the CJEU when it decides at the end of 2023/beginning of 2024 on the question referred by the German Federal Court of Justice (BGH) on the abuse of rights pursuant to Art. 15 GDPR (German Federal Court of Justice (BGH), order of 29 March 2022 - VI ZR 13252/20, BeckRS 2022, 9584). Even after the CJEU ruling, however, not all detailed questions will presumably be clarified as the CJEU typically concentrates on the individual case presented and only provides a concise statement of reasons.

The conflict between the broadly defined Art. 15 GDPR and the finely balanced information obligations of general civil and procedural law will therefore continue to occupy the courts. Instead of generally invoking an abuse of rights, the dispute will probably mainly ignite over whether a request is "excessive" within the meaning of Article 12 (5) sentence 2 GDPR. The EDPB's narrow understanding follows neither from the wording "excessive" nor from the goal of the right of access, which primarily serves to verify the lawfulness of the processing (Recital 63) and not motives which are not related to data protection. On the contrary, there are good reasons to argue that Art. 12 (5) sentence 2 GDPR opens up a balancing of interests in which goals which are not related to data protection have correspondingly lower weight. In this way, courts can achieve a fair balance of interests between data subjects and controllers.

Our regularly updated blog post on the case law on compensation in accordance with Art. 82 GDPR provides up-to-date information on this topic. The CMS Enforcement Tracker provides an overview of GDPR fines.