Weaponised DSARs: When Can Irish Organisations Say “No”?Lessons from Brillen Rottler GmbH & Co. KG v TC (C‑526/24)

Access requests are meant to empower individuals – but what happens when they are used as a weapon? A recent CJEU decision has opened the door for controllers to push back on abusive DSARs, but only if they can prove it.

If you work in HR, complaints, or legal, that line probably feels uncomfortably familiar. Data subject access requests (DSARs) are supposed to help people understand how their data is used. Increasingly, some are being used as a weapon – to punish, distract, or gain leverage in a separate dispute.

On 19 March 2026, the Court of Justice of the European Union (CJEU) handed down its judgment in Brillen Rottler GmbH & Co. KG v TC (Case C‑526/24). The Court confirmed that organisations can push back on abusive DSARs – even a first request – but only where they can prove that abuse. No shortcuts, no gut feelings.

Why DSARs feel like hand grenades

On paper, a DSAR is simple: someone asks for a copy of their personal data, and you respond within a month. In the real world, it looks more like this:

• A disgruntled ex‑employee demands “all data you hold about me since 2004”.

• A litigant fires off multiple DSARs alongside solicitor’s letters and social media posts.

• A parent in an educational dispute threatens to “make you spend all your time on access requests”.

The workload is real. Email archives, Teams chats, PDFs, case management systems, CCTV, HR files – all suddenly in scope. The temptation to label a request “abusive” and move on is strong.

The CJEU’s decision in Brillen Rottler gives organisations a tool, but it comes with a warning label: you can only rely on abuse if you can show your workings.

What Brillen Rottler actually opened the door to

The GDPR has always allowed controllers to refuse to act, or to charge a fee, if a DSAR is “manifestly unfounded or excessive”. The grey area was whether “excessive” could include bad‑faith use of the right.

In Brillen Rottler GmbH & Co. KG v TC, the CJEU held that:

• A DSAR can be excessive because it is abusive – for example, where it is made with the intention of artificially creating the conditions for a compensation claim under Article 82 GDPR, rather than to check how data is processed.

• This can apply even to a first request. There is no automatic “first one is always valid” rule.

• The burden of proof is on the controller. You must demonstrate, in light of all relevant circumstances, that the request is not genuinely about transparency and rights, but about an abusive purpose.

• Access remains a fundamental right. Abuse is the exception. Any refusal must be narrowly justified and supported by evidence.

Think of it this way: Brillen Rottler did not give controllers a “get out of DSAR free” card. It gave them a narrow, well‑lit emergency exit that must be used carefully and documented meticulously.

How abusive DSARs show up in practice

Abuse is about behaviour, not about whether the organisation finds a request annoying or time‑consuming. Some patterns that often ring alarm bells:

1. Openly hostile or harassing use of the right

• Emails that explicitly threaten to “cripple” the organisation with endless DSARs.

• Statements that the requester has no interest in the data – they just want to cause trouble.

2. Machine‑gun requests with no interest in content

• Near‑identical DSARs fired in quick succession, ignoring previous responses.

• New requests lodged before the ink is dry on the last reply, with no attempt to engage on the information already provided.

3. DSARs as bargaining chips

• “I’ll stop sending these if you pay my claim.”

• “Withdraw the disciplinary and I’ll drop all my access requests.”

4. Demands for obviously non‑personal information

• Requests framed as subject access but seeking internal commercial strategy, anonymised statistics, or board‑only papers – and flat refusal to narrow scope when this is explained.

By contrast, a request does not become abusive just because:

• It lands during a contentious grievance or legal dispute.

• It is very broad and will clearly take work.

• The requester is combative, badly‑behaved, or legally savvy.

Those are warning signs, not conclusive proof.

A simple three‑part test before you say “no”

Before any Irish organisation refuses a DSAR as abusive, it should be able to walk through a short, sharp internal test.

(a) Purpose: what is this really about?

• Does the language used suggest a genuine attempt to understand and verify personal data?

• Or does the requester say – or strongly imply – that they are using the DSAR purely as a weapon or to set up a damages claim?

The factual pattern in Brillen Rottler is a useful illustration: the central question was whether the request aimed to verify processing or was primarily designed to generate compensation.

(b) Pattern: is this a one‑off or part of a campaign?

• Is this a single, broad request, or one of many overlapping requests in a short period?

• Has the requester shown any interest in engaging with previous replies?

• Are there signs of escalation purely in volume and aggression, not in substance?

A one‑off awkward DSAR is rarely enough. A clear campaign of bombardment is much more persuasive.

(c) Proportionality: have you tried to be reasonable?

• Have you offered to narrow the request, and has that been flatly rejected without good reason?

• Is there a sensible staged approach you could take instead of outright refusal?

• Does the effort required look wildly out of proportion compared with the benefit the requester can obtain?

A regulator will look first at how you tried to solve the problem before you reached for the abuse label.

What a defensible DSAR process looks like

If you want the option of pushing back on abusive DSARs, you need a DSAR process that looks grown‑up and repeatable, not improvised.

Put Brillen Rottler into your written procedure

Your DSAR procedure should:

• Mention that, in line with Brillen Rottler (C‑526/24), a DSAR may in rare cases be refused as excessive where it is clearly abusive.

• Explain, in plain English, what “manifestly unfounded or excessive” can mean.

• Set out the steps for assessment – who reviews, what they look at, how they record their reasoning.

• Require senior sign‑off (DPO or equivalent) for any refusal or fee based on abuse.

• Mandate a written note of the decision and the evidence relied on.

That way, if the Data Protection Commission ever asks “why did you refuse this?”, you are not relying on faded memories of a heated email thread.

Train the people on the front line

The first person who reads the DSAR can make or break your response. Give them:

• Examples of valid but difficult requests vs abusive patterns.

• Clear instructions on when to escalate.

• Template acknowledgements and clarification emails so they are not drafting under pressure.

If a receptionist, service agent or junior HR staff member feels out of their depth, they are more likely to ignore, delay or respond inconsistently – all of which increase your risk.

Use dialogue before defence

Before you ever consider refusing a DSAR as abusive:

• Invite the requester to focus on particular topics, timeframes or systems.

• Explain, without drama, the scale of the search involved and what is realistically achievable.

• Offer options: for example, provide HR file and complaint‑related data first, then agree a second phase if needed.

Often, this conversation flushes out whether the requester actually wants the data or simply wants to create pain.

Keep a proper DSAR log

Your log should record:

• Who requested what, and when.

• How you interpreted the scope.

• Any narrowing, clarification or negotiation.

• Whether abuse was considered, what evidence existed, and the decision taken.

• Deadlines, extensions and final response dates.

If you ever have to justify your approach, this log becomes your best friend.

Four traps that will get you into trouble

The biggest risk now is over‑correcting – treating Brillen Rottler as a green light to push back aggressively on anything that looks hard.

Watch out for these traps:

1. Calling everything you dislike “abusive”If every contentious DSAR in your log is marked “excessive / abusive”, expect scrutiny. Abuse should be the exception, not the rule.

2. Going silent on tactical requests Ignoring a DSAR because you believe it is tactical is almost always worse than engaging. Acknowledge, assess, respond – even if that response is ultimately a justified refusal.

3. Forgetting partial complianceSometimes part of the request is clearly valid and manageable. Providing that data while explaining why the rest is excessive is often safer than an all‑or‑nothing stance.

4. Using abuse to mask weak systemsIf your records of processing are incomplete, searches are manual, and retention is patchy, every DSAR will feel abusive. Fixing those fundamentals will do far more for your sanity – and your risk – than aggressive refusals.

DSARs as a stress‑test of your GDPR maturity

It is tempting to think of DSARs as a self‑contained problem: awkward, time‑consuming, but ultimately just one GDPR right among many. In reality, they are a live stress‑test of your entire privacy programme.

To handle DSARs well – including the abusive ones – you need:

• Clear records of what you process and where.

• Real‑world retention and deletion, not just a policy on a shelf.

• Staff who know what a DSAR looks like and how to route it.

• Governance that can stand over difficult decisions.

Brillen Rottler does not change that. It simply adds a controlled pressure‑release valve: in rare cases where the right of access is being deliberately weaponised, Irish organisations can say “no” – but only if they can show exactly why.

For everyone else, the safest strategy remains the same: treat DSARs as a serious right, build strong processes, document your reasoning, and make sure that if the Data Protection Commission ever comes calling, your answers are calm, consistent and fully backed by evidence.