How to Defend Against Strategic DSARs and Abusive GDPR Claims
|
Mark Roebuck
What happened in the Brillen Rottler ruling on abusive DSARs?
In the Brillen Rottler v TC case the claimant (TC):
Subscribed to a Newsletter: In March 2023, TC signed up for the newsletter of Brillen Rottler, a family-run German optician, by entering his personal data on their website.
Triggered a Rapid Data Request: Just 13 days after signing up, TC submitted a formal request for access to his personal data (a DSAR) under Article 15 of the GDPR.
Maintained the Request Despite Refusal: When Brillen Rottler refused the request, labeling it as “abusive” and asking him to withdraw it, TC refused to do so.
Demanded Compensation: TC then added a claim for EUR 1,000 in compensation under Article 82 of the GDPR, arguing that the company’s refusal to provide his data caused him “non-material damage”.
The company argued that this behaviour was not a sincere attempt to verify data lawfulness, but rather a systematic tactic.
Can a first time data request be refused as excessive?
Yes. The court ruled that a controller may refuse a first-time request if they can demonstrate that the individual has an abusive intention. The court noted that while “repetitive” requests are common indicators of excess, a single request can be deemed excessive if it is designed to artificially create conditions for a compensation claim rather than to verify the lawfulness of data processing. Non-material damage is a type of harm that does not involve financial loss, such as emotional distress, loss of control over personal data, or psychological anxiety caused by a privacy breach.
Why this ruling is a win for operational sanity.
As a data protection consultant who has designed operating models for UK banks like Lloyds and TSB, I see this judgment as a vital turning point for corporate risk management. Organisations have to handle “compensation hunters”, in this case an individual who subscribed to a newsletter specifically to trigger a DSAR, hoping for a minor procedural error might lead to a payout.
The court has correctly identified that the purpose of the GDPR is to serve mankind and protect fundamental rights, not to facilitate “gotcha” litigation. However, the burden of proof remains firmly on the business. This means your internal DSAR workflow must be bulletproof.
During my work with ProvePrivacy, we’ve found that companies without a solid DSAR log or a good understanding of the management of exemptions are more likely to lose a challenge in court. This ruling rewards the prepared but remains a trap for those with messy, manual processes.
The characteristics of legitimate DSAR (below) are clear in the legislation, but this ruling tells us more about excessive or abusive DSAR.
Feature
Legitimate DSAR
Abusive or Excessive DSAR
Primary Goal
Verify data lawfulness/accuracy
Provoke a claim for damages
Timing
Ad Hoc or Specific concerns
Immediate (e.g., 13 days after signup)
Pattern
Reasonable and focused
Part of a documented "modus operandi"
Cost to User
Free of charge
Ability to apply a "Reasonable Fee" if excessive
Three questions a DPO should ask themselves.
Do we have a system to track DSAR patterns? You need to know if you are getting similar requests to identify patterns. If you are then can you manage this as a separate risk or is it lost in your DSAR tracking system?
Can we prove the intent behind a request? If you refuse a request, or if you apply an exemption to part of a request do you have the evidence to defend your decision to a regulator. In this case, the timeframe between a newsletter signup and the DSAR, but in the case of exemptions, which exemptions, which data and why?
Is our exemption documentation machine-readable and audit-ready? If a court asks why you refused a request, can you produce a clear log showing the “exemptions applied” or the “manifestly unfounded” assessment you performed?
Three actions you should consider.
Implement a Managed DSAR Workflow: Use software to automate the intake and tracking of requests. This ensures every step is timestamped, which is critical for proving that a request was handled within the legal one-month window.
Maintain a Centralized Exemption Log: Document every time you refuse a request or charge a fee. This log should include the specific qualitative reasons (e.g., “abusive intent evidenced by immediate request post-signup”) to meet the “burden of proof” required by Article 12(5).
Monitor Public Data Protection Forums: Stay informed about individuals known for systematic claims. The court explicitly stated that “publicly available information” about a subject’s history of claims can be used to establish abusive intent.
Three pitfalls to avoid.
The “Knee-Jerk” Refusal: Never refuse a DSAR without a documented investigation. Even if you suspect a troll, a refusal without a strong evidence base could lead to a successful claim for “loss of control” compensation.
Ignoring Non-Material Damage: The court confirmed that “loss of control” over data is enough for a compensation claim. Don’t assume that because no money was lost, there is no risk; distress is a compensable harm.
Siloed Data Governance: If your marketing team handles signups and your legal team handles DSARs but they don’t talk, you will miss the “abusive intent” markers that only appear when you look at the timeline of the whole relationship.
Conclusion: Move from Defence to Proactive Compliance
This CJEU ruling is a powerful tool, but it is not a “get out of jail free” card. As someone who has delivered GDPR training to over 100 organisations, I cannot stress enough that the court still favours the individual. To protect your business, you must move away from reactive, manual data management.
The key to mitigating the risks highlighted in Brillen Rottler is a combination of robust software and clear incident management. By documenting your DSAR workflow and treating every exemption as a potential court exhibit, you turn your data protection from a liability into a shield. If you are unsure if your current process would stand up to the “abusive intent” test, now is the time to review your compliance operating model.
If you would like to learn more about how ProvePrivacy can help you to manage your DSAR accurately and defensively book a 15 minute chat.
How to Defend Against Strategic DSARs and Abusive GDPR Claims
What happened in the Brillen Rottler ruling on abusive DSARs?
In the Brillen Rottler v TC case the claimant (TC):
The company argued that this behaviour was not a sincere attempt to verify data lawfulness, but rather a systematic tactic.
Can a first time data request be refused as excessive?
Yes. The court ruled that a controller may refuse a first-time request if they can demonstrate that the individual has an abusive intention. The court noted that while “repetitive” requests are common indicators of excess, a single request can be deemed excessive if it is designed to artificially create conditions for a compensation claim rather than to verify the lawfulness of data processing.
Non-material damage is a type of harm that does not involve financial loss, such as emotional distress, loss of control over personal data, or psychological anxiety caused by a privacy breach.
Why this ruling is a win for operational sanity.
As a data protection consultant who has designed operating models for UK banks like Lloyds and TSB, I see this judgment as a vital turning point for corporate risk management. Organisations have to handle “compensation hunters”, in this case an individual who subscribed to a newsletter specifically to trigger a DSAR, hoping for a minor procedural error might lead to a payout.
The court has correctly identified that the purpose of the GDPR is to serve mankind and protect fundamental rights, not to facilitate “gotcha” litigation. However, the burden of proof remains firmly on the business. This means your internal DSAR workflow must be bulletproof.
During my work with ProvePrivacy, we’ve found that companies without a solid DSAR log or a good understanding of the management of exemptions are more likely to lose a challenge in court. This ruling rewards the prepared but remains a trap for those with messy, manual processes.
The characteristics of legitimate DSAR (below) are clear in the legislation, but this ruling tells us more about excessive or abusive DSAR.
Three questions a DPO should ask themselves.
Three actions you should consider.
Three pitfalls to avoid.
Conclusion: Move from Defence to Proactive Compliance
This CJEU ruling is a powerful tool, but it is not a “get out of jail free” card. As someone who has delivered GDPR training to over 100 organisations, I cannot stress enough that the court still favours the individual. To protect your business, you must move away from reactive, manual data management.
The key to mitigating the risks highlighted in Brillen Rottler is a combination of robust software and clear incident management. By documenting your DSAR workflow and treating every exemption as a potential court exhibit, you turn your data protection from a liability into a shield. If you are unsure if your current process would stand up to the “abusive intent” test, now is the time to review your compliance operating model.
If you would like to learn more about how ProvePrivacy can help you to manage your DSAR accurately and defensively book a 15 minute chat.
Mark Roebuck
Manage personal data and privacy risks
You might also like
Artificial Intelligence and the Impact on Data Subjects Rights
The Biggest Concerns in Data Protection Compliance: Audits & DPIAs
Data Retention Compliance: Why Policy Must Be Matched by Process