Is there a threshold for the number of requests under the GDPR after which they can be denied? The Austrian data protection authority certainly thought so when it rejected an individual’s complaint, qualifying it as ‘excessive’. Not so fast, says the Court of Justice of the European Union (CJEU). In a recent judgment on 9 January 2025, the CJEU clarified the criteria for what constitutes “excessive” requests under Article 57(4) GDPR, emphasizing that it is not just about the number of requests made by the data subject, but more about the abusive intent behind them.
While this ruling primarily concerns the interpretation of Article 57(4) GDPR (which relates to the tasks of the data protection authorities in handling complaints lodged by data subjects), the conclusions drawn by the CJEU could also be applied when data controllers need to demonstrate that data subjects’ requests are excessive under Article 12(5) GDPR, given the similar wording of these two Articles. It is noteworthy that the CJEU itself made a reference to Article 12(5) GDPR while ruling on Article 57(4) GDPR.
For companies this CJEU’s decision is thus particularly relevant when it comes to summoning Article 12(5) GDPR in order to refuse to act on access requests made on the basis of Article 15 GDPR. These requests are sometimes submitted in series, within short periods, by the same individuals, and often for purposes that are unrelated to data protection, such as preparation for litigation. It is currently difficult for companies to reject such access requests when they appear to be excessive, and this new ruling from the EU’s highest court may help shed light on when they can do so.
1 - Background of the Case
The case (C-416/23) was referred to the CJEU by the Supreme Administrative Court of Austria (Verwaltungsgerichtshof) and involved the Austrian data protection supervisory authority (Österreichische Datenschutzbehörde) and an individual. The dispute arose from the authority’s refusal to act on a complaint lodged by the individual, citing the ‘excessive’ nature of the request. The individual had submitted 77 similar complaints within approximately 20 months, directed against different controllers, and regularly contacted the authority to report additional facts and make further requests. The authority deemed these actions ‘excessive’, leading the individual to challenge the decision.
2 - Key Legal Questions
The CJEU was asked to interpret several key aspects of the GDPR. Specifically, the second question brought to the CJEU was about the criteria for determining if requests made by an individual are ‘excessive’ under Article 57(4) GDPR. In that context, the CJEU considered whether the number of requests lodged during a given period could in of itself render them excessive, or if other factors, such as an abusive intent, must also be considered.
The third question addressed the options available to supervisory authorities under Article 57(4) GDPR in cases of ‘excessive’ requests. The CJEU explored whether supervisory authorities have the discretion to either charge a reasonable fee based on administrative costs or refuse to act on the requests, and under what circumstances each option should be applied.
3 - CJEU’s Interpretation
Excessive Requests
First, since the GDPR does not define ‘excessive requests’, the CJEU suggests referring to the term’s usual meaning in everyday language, which denotes something that exceeds the ordinary, reasonable, desirable, or permissible amount.
Second, while Article 57(4) GDPR clearly indicates that requests may be ‘excessive’ particularly when they are repetitive, the CJEU found it necessary to interpret this provision in the context of the GDPR’s objectives, especially those outlined in Articles 12 and 15 GDPR, which relate to the principles of transparency and the right of access to personal data.
The CJEU reasoned that the mere number of requests made by an individual should not automatically indicate excessiveness. Rather, if an individual has made several requests for access to one or more controllers without obtaining a satisfying response, the number of complaints submitted to a supervisory authority could correspond to the number of refusals given by those controllers. Thus, setting an absolute numerical threshold for ‘excessive’ complaints could undermine GDPR rights.
Instead, the CJEU considered that supervisory authorities bear the burden of proof and must demonstrate an abusive intention by the individual who made the requests. Abusive intentions could stem from the data subject’s intention to make requests:
- for purposes unrelated to the protection of their rights under the GDPR,
- which are not objectively necessary to protect GDPR rights, or
- to disrupt the supervisory authority’s functioning by overwhelming it with requests.
Going forward, there may be an argument that these criteria could also be used by analogy to qualify ‘excessive’ requests when they are addressed to data controllers, as the wording is similar and the CJEU itself noted the parallelism.
Supervisory Authority’s Options
When dealing with excessive requests, the CJEU clarified that under Article 57(4) GDPR, supervisory authorities generally have the discretion to either charge a reasonable fee based on administrative costs or refuse to act on the requests. This interpretation stems from the fact that the options in Article 47(4) GDPR are separated by the mere conjunction ‘or’, without setting any priority between the available options. However, the CJEU emphasized that any choice by the supervisory authority must be reasoned, appropriate, necessary, and proportionate, considering all relevant circumstances.
The CJEU noted that it might be appropriate for a supervisory authority, aiming to end an abusive practice that disrupts its effective operation, to first charge a reasonable fee based on the administrative costs of handling excessive complaints. Nonetheless, the CJEU also stressed that Article 57(4) GDPR does not oblige the supervisory authority to always first apply the option of charging a reasonable fee. Instead, when faced with excessive requests, a supervisory authority may, by reasoned decision, choose between charging a reasonable fee based on administrative costs and refusing to act on those requests, taking into account all relevant circumstances.
4 - Conclusion
The decision clarifies the meaning of ‘excessive requests’ under Article 57(4) GDPR, emphasizing that it is not merely the number of requests that matters but the intent behind them. Furthermore, the decision sets a high but workable threshold for refusing requests or charging fees, requiring a well-reasoned and proportionate approach to ensure that data subjects’ rights are not arbitrarily restricted.
While this decision primarily interprets Article 57(4) GDPR regarding supervisory authorities’ tasks, it could also be useful to data controllers in demonstrating when data subjects’ requests (such as access requests under Article 15 GDPR) may be considered ‘excessive’. For instance, this may be the case when requests are clearly unrelated to safeguarding the rights under the GDPR or aim to disrupt the company’s operations.
