On 9 January 2025, the Court of Justice of the European Court (CJEU) provided clarity on what constitutes an excessive data subject access request (DSAR) under the GDPR in Case C-416/23. Excessive requests will be determined by the requestor's intent and not simply by the number of access requests made.
This case arose following an individual submitting 77 complaints to the Austrian supervisory authority (DPA) over a 20 month period running from 2018 to 2020, following 46 separate right to erasure requests and 29 access requests made by the complainant to various controllers.
The CJEU clarified that, pursuant to Article 57(4) of the GDPR, the term 'request' encompasses various claims, and the DPA must show abusive intent to label requests as 'excessive.' Interestingly, authorities have the option to charge reasonable fees or refuse action on such requests if deemed necessary and proportionate.
The ruling relies on the logic that one extremely broad request may, depending on the facts (and the requestor's intent) be more or less excessive than a number of narrower requests that, collectively, become problematic to the controller dealing with those DSARs (or the DPA in the form of complaints).
However, determining a requestor's ‘abusive intent’ will never be straightforward, so expect more complaints and referrals to the CJEU in the future, particularly where the DPA has sought to charge reasonable fees or refused to take action based on the requestor's purported abusive intent.
CJEU rules on the definition of 'excessive' GDPR requests, emphasizing intent over quantity.
unknownx500
