ECJ Ruling on Data Subject Access Requests: Some Welcome Relief for European Employers, or Not Quite Yet? (Part I)

The ECJ’s recent ruling marks a nuanced shift in GDPR enforcement, clarifying that even an initial data‑subject access request can be deemed excessive when the requester’s motive is to manipulate the law for personal gain. By anchoring the test in everyday language, the court demands a dual‑pronged analysis: objective facts showing the request does not serve its legitimate purpose, and a subjective intent to extract an advantage. This heightened standard raises the evidentiary bar for data controllers, who must now document both the context of the request and the requester’s mindset to justify a refusal.

In the employment arena, the decision arrives at a time when former workers increasingly use DSARs to gather evidence for unfair‑dismissal or discrimination claims. While the ruling theoretically empowers employers to push back against clearly abusive requests, the specific factors highlighted by the court—such as the time elapsed since data provision and the voluntary nature of the data supplied—are less applicable when an employee’s request follows a termination. Consequently, companies may find it challenging to meet the strict threshold, leaving them vulnerable to costly compliance obligations and potential litigation.

Looking ahead, the practical impact will hinge on how national data‑protection authorities interpret and enforce the ECJ’s guidance. Some jurisdictions may adopt a more restrictive view, offering clearer pathways for employers to contest abusive DSARs, while others could maintain a broader protective stance for data subjects. Organizations should therefore audit their DSAR processes, strengthen documentation practices, and consider proactive engagement with legal counsel to navigate the evolving landscape and mitigate exposure to disputes.