27/01/2026
Briefing

“Manifestly excessive” requests under GDPR: Abusive intent required

In Case C-416/23 Österreichische Datenschutzbehörde v FR, the Court found that the number of requests/complaints made by a data subject is, on its own, not sufficient for a supervisory authority to categorise the requests as “manifestly excessive” under Article 57(4) GDPR. Rather, what is required is that an abusive intention on the part of the person in question be established, having regard to all the relevant circumstances of each case.

This case concerned 77 similar complaints made by a data subject to the Austrian supervisory authority (DSB) regarding different controllers within a period of 20 months. The data subject had also regularly contacted the DSB by phone to make additional requests.

The Court held that considering only the number of complaints made could lead to an arbitrary infringement of a person’s rights under the GDPR. As a result, a finding of an abusive intention on the requester’s part is required. This may occur where a person has lodged complaints in circumstances where it was not objectively necessary to do so in order to protect their rights under the GDPR. A supervisory authority receiving a large number of complaints must demonstrate, on the basis of the particular circumstances of each case, that the number of requests is not explained by the data subject wishing to obtain protection of his or her rights under the GDPR, but is being carried out for some other purpose, unconnected with the protection of those rights.

In Case C-526/24 Brillen Rottler GmbH & Co. KG v TC, the Advocate General found that controllers may only consider an initial data subject access request to be excessive “in exceptional circumstances”, and that there must be “strict criteria” for such a finding. Such circumstances require the controller to prove an abusive intention on the part of the data subject.

In this case, the data subject submitted an access request after consenting to the processing of his data. The controller refused and the data subject sought compensation of €1,000 for alleged non-material damage.

The Advocate General considered that it appeared that the data subject wished to exploit the protection of Article 15 GDPR for purposes other than the protection of his data. The Advocate General noted that such exploitation may occur where data subjects intend to cause the controller to refuse the access request so that they can then demand compensation. The Advocate General considered that making an access request with such intention would be abusive and should not be protected under the GDPR.

Additionally, the Advocate General noted that the fact that publicly available information pointed to the data subject asserting their right to compensation in a large number of cases “is not sufficient, in itself and without further evidence, to demonstrate an abusive intention”. 

Key takeaway

These cases demonstrate that controllers cannot rely on the volume of requests made, nor the fact that a data subject has claimed compensation in a large number of cases, to avoid honouring data subject access requests on the ground that they are manifestly excessive. What is required is an abusive intent on the data subject’s behalf, such that they are using their rights of access as a mechanism to achieve some goal unrelated to the protection of their personal data.

No right of access to data lawfully deleted

In Case – T-318/24 WS v Commission, the General Court held that in response to an access request controllers are not required to (i) restore and provide data that has been deleted lawfully; and/or (ii) identify staff members appearing in access logs as those employees are not considered recipients of personal data.

Non-material damages for “negative feelings” and “uncertainty” resulting from breach of GDPR

In Case T-354/22 Bindl v European Commission, the General Court awarded compensation for non-material damage resulting from a breach of data transfer rules under the GDPR.

This case involved the transfer of a data subject’s personal data by the European Commission to the U.S., in circumstances where the European Commission (EC) did not rely on an appropriate safeguard for the transfer, as required under Article 48(1) GDPR. The Court found that the data subject suffered non-material damage as the data subject was put in a position of uncertainty regarding the processing of their personal data, in particular their IP address. The General Court found that there was a “sufficiently direct causal link” between the infringement by the EC of the law and the non-material damage suffered. The EC was ordered to pay the data subject €400 in damages.

In reaching its decision, the Court held that compensation can be awarded for non-material damage resulting from breach of the GDPR, provided that the damage is “actual and certain” rather than “hypothetical and indeterminate”.

In Case C-655/23 IP v Quirin Privatbank AG, the Court found that “negative feelings” may, under certain circumstances, entitle a data subject to compensation for non-material damage. This case set a high bar with regard to the data subject’s burden of proof, requiring concrete evidence for such negative feelings and the resulting negative consequences. The Court also held that national courts have the power to assess the validity of a plaintiff’s allegations on a case-by-case basis.

The Court also found that the seriousness of fault on the part of the controller is not required to be considered under Article 82 GDPR when determining compensation for non-material damage.

Liability of online platforms as controller in respect of user-generated content

In Case C-492/23 Russmedia Digital and Inform Media Press, the Court found that an online marketplace was a controller in respect of personal data contained in user-generated advertisements that were published on its site. The Court also held that an online marketplace that is a controller cannot rely on the exemptions from liability in Articles 12-15 of the e-Commerce Directive (which is now governed by the Digital Services Act) to avoid liability under the GDPR.

This case involved an advertisement for sexual services posted by a user which contained personal data of the claimant without her consent, including her photographs and phone number.

The Court outlined the following reasons as to why the online marketplace acted as controller:

  • Advertisements published by the marketplace were not published exclusively on behalf of the user solely for the user’s purposes, they were also published for the marketplace’s own commercial purposes as evidenced by its terms and conditions which provided broad scope for the platform to use the information published in a wide variety of ways and for any reason.
  • The marketplace was involved in determining the purposes of the processing.
  • It was irrelevant that the platform had not determined the content of the advertisement.
  • The platform set the rules for the distribution of advertisements containing personal data and had a decisive influence of the overall distribution of such data.
  • The marketplace allowed advertisements to be placed anonymously and this enabled the publication of personal data without consent.

The Court found that, as controller, online marketplaces are under an obligation to have appropriate technical and organisations measures in place to carry out the following steps before the publication of an advertisement containing special category personal data:

  • Identify advertisements that contain special category personal data;
  • Verify whether the user placing the advertisement is the same individual as that whose personal data appears in the advertisement; and
  • Prevent publication of the advertisement unless the user placing it can show that the data subject has given their explicit consent to their data being published on the marketplace, or unless one of the other exceptions in Article 9(2) GDPR is satisfied.

The Court also found that where online marketplaces are controllers, they must implement appropriate technical and organisational security measures to prevent advertisements that are published on their platforms containing special category personal data from being replicated and unlawfully published on other websites.

The Court found that, once an advertisement containing special category personal data is published, the online platform and the user are joint controllers in respect of personal data contained within it.

Key takeaway

This case is significant for online marketplaces and online platforms generally, as it makes it clear that such platforms can be controllers in respect of personal data contained in user generated content and that the liability exemptions under the e-Commerce Directive cannot be relied upon to avoid obligations as controller in such circumstances. That said, the facts of this case, such as the terms and conditions giving the platform a right to use the personal data, are relevant to the decision. As such, whether an online platform acts as a controller in respect of personal data contained in user-generated content will likely need to be assessed on a case-by-case basis.

Trade secrets and provision of information regarding automated decision making

In Case C-203/22 CK v Magistrat der Stadt Wien, the Court held that the obligation in Article 15(1)(h) GDPR to provide data subjects with ‘meaningful information about the logic involved’ in automated decision making, including profiling, means that the controller must provide a full explanation of the procedure and principles actually applied when using automated decision making to obtain a specific result e.g., a credit profile.

Where providing such information may result in disclosure of a trade secret of the controller, the controller should provide the information to the competent supervisory authority or court for an assessment to be made as to what is the correct balance between the competing rights and interests involved and thus the extent of the data subject’s right of access to the information.

Pseudonymised data

In Case C‑413/23 P SRB v EDPS, the European Court of Justice held that pseudonymised data may not be personal data in all cases. If data is pseudonymised in such a way that it effectively prevents others (excluding the controller) from identifying the data subject in a way that means the data subject is no longer identifiable to them, then it may not be personal data.

In determining whether a data subject is identifiable, all the measures that are reasonably likely to be taken to identify the individual directly or indirectly should be taken into account.

With respect to transparency requirements, the Court held that even in cases where pseudonymised data is not personal data, a controller’s privacy policy should still provide information on the disclosure of such pseudonymised data to third parties.

Right to rectify inaccurate record of gender identity

In Case C-247/23 Deldits, the Court held that a person has the right under Article 16 GDPR to rectify an inaccurate record of their gender identity. In seeking such rectification, a person may be required to produce evidence to demonstrate that the data relating to their gender identity is inaccurate.

This case involved an Iranian national who obtained refugee status in Hungary and whose gender was recorded on the Hungarian asylum register as female, even though the person identified as male. The individual sought rectification of this data and provided medical certificates demonstrating that their gender identity was male. The Hungarian asylum authority refused to correct the data without proof of gender reassignment surgery.

The Court considered the right of data subjects to obtain the rectification of inaccurate personal data. The Court held that whether data is accurate and complete must be assessed in the context of the purpose for which the data was collected. If the purpose of collecting the data was to identify the data subject, then the relevant data to record is the person’s lived gender identity rather than the gender identity that they were assigned at birth.

The Court found that a person may be required to provide “relevant and sufficient evidence” reasonably required to establish that the record of their gender identity is inaccurate. A medical certificate, including a psychiatric diagnosis, may be sufficient for this purpose and evidence of gender reassignment surgery cannot, under any circumstances, be required from the individual.

Data minimisation and gender data  

In Case C-394/23 Mousse v Commission nationale de l’informatique et des libertés (CNIL), SNCF Connect, the Court held that processing gender data of customers is not necessary in the context of purchasing a transport ticket.

A company selling train tickets claimed that it was processing personal data relating to the gender of customers for the purpose of personalising their commercial communications to those customers.

The Court held that such processing is not objectively necessary for the performance of the contract with the passenger.

In addition, such processing is not necessary in pursuance of the legitimate interests of the controller or a third party in circumstances where (i) customers are not informed of the legitimate interest pursued when the data is collected; (ii) the processing is carried out beyond what is strictly necessary to achieve that legitimate interest; or (iii) in the circumstances, the rights and freedoms of customers outweigh the legitimate interest, particularly where there is a risk of discrimination based on gender identity.

In Case C-710/23 Ministerstvo zdravotnictví (Données relatives au représentant d’une personne morale), the Court held that disclosing the name, signature and contact details of a natural person who is representing a legal person (for example, a director representing a company) constitutes the processing of personal data. It is irrelevant that the only reason such details are disclosed is to identify the natural person(s) authorised to act on behalf of a legal person.

The Court also held that the GDPR does not prevent national case-law from requiring controllers (who are public authorities tasked with balancing public access to official documents and the protection of personal data) to inform and consult relevant individuals before disclosing documents containing their personal data. This obligation must be feasible, must not require disproportionate effort and must not lead to public access to such documents being disproportionately restricted.  

Right of access to EDPB files

Case T‑183/23 Ballmann v EDPB affirmed that data subjects have a right of access to files related to EDPB proceedings.

This case concerned a request for access by a data subject to an EDPB file relating to a binding decision the EDPB had made in respect of the data subject’s complaint against Meta. The EDPB refused to grant the data subject access to its decision.

The General Court held that the right of access under Article 41(2)(b) GDPR is not confined to situations in which the data subject is adversely affected by the EDPB’s decision. The General Court found that:

  • The right of access is associated with the right to have cases handled impartially, fairly and in a timely manner. This may imply a requirement to provide an individual with the administrative file concerning them;
  • A person also has a right to such a file in accordance with the right to good administration in the Charter of Fundamental Rights; and
  • Every data subject has the right under the GDPR to lodge a complaint with a supervisory authority and to be informed by that supervisory authority of the progress of that complaint and the outcome.

With thanks to Emma Haddigan for her contributions to this summary.