Following the ECJ judgement in Case C-526/24, the Arnsberg Local Court has ruled that a request for access under Article 15 of the GDPR may constitute an abuse of rights if it is specifically used to prepare a claim for damages. The decisive factor is a documented overall assessment of specific evidence, including unusual or economically implausible behaviour on the part of the data subject. The decision strengthens the position of data controllers in clearly demonstrable cases of abuse, but at the same time highlights the narrow limits of a refusal under Article 12(5)(b) of the GDPR.
The Local Court follows the ECJ
The Local Court adopts the two-stage abuse test developed by the ECJ. This test requires firstly, objective circumstances indicating that the purpose of the right of access is not being achieved despite formal compliance with the conditions; and secondly, a subjective element: the intention to artificially create the conditions for deriving an advantage from the GDPR.
Accordingly, even an initial request for access may already be ‘excessive’ within the meaning of Article 12(5) of the GDPR. What is decisive is not the number of requests, but their purpose. An abuse of rights is particularly likely where a data subject deliberately triggers data processing in order subsequently to assert a right of access and to base a claim for damages on an alleged infringement.
What facts convinced the court?
The court based its assessment on an overall evaluation of numerous pieces of evidence:
- the deliberate disclosure of additional data,
- a lack of discernible interest in the claimant’s products and in the newsletter,
- the timing,
- the conduct during the legal proceedings, and
- indications of a recurring pattern of behaviour.
In particular, the court emphasised that the defendant had used more personal data than was necessary, as he had, amongst other things, provided his first name and surname in addition to the non-anonymised email address. This is inconsistent with his claim that he is mindful of data protection.
The court could not identify any demonstrable interest in the newsletter. The defendant lived in Vienna, while the newsletter primarily advertised discount promotions in North Rhine-Westphalia branches, and the claimant only sold its goods in Germany. The court did not consider the claim of regular stays in Düsseldorf to be substantiated enough.
The Local Court interpreted the short time between registration and the request for information as an indication that there was no genuine interest in the information, but rather that the aim was to establish a basis for a claim for damages.
The claimant was also entitled to consider publicly available reports of a recurring pattern of behaviour, which the Local Court considered corroborated by the individual case's circumstances.
Furthermore, the court argued that no complaint had been lodged with the data protection supervisory authority; that the defendant had used a fax with a full letterhead to submit his request for information; that there was an assumed high number of unreported cases; and that the defendant had not appeared in person before the court. In particular, the Local Court considered that contacting the data protection supervisory authority would have been the more obvious course of action had the defendant genuinely been concerned with clarifying the matter and preventing future data protection breaches.
The legal consequences
As the request for information constituted an abuse of rights, the claimant was entitled to refuse to provide the information pursuant to Article 12(5)(b) of the GDPR. Consequently, there was no breach of the GDPR, which is a prerequisite for a claim under Article 82 of the GDPR. Furthermore, the court also referred to the ECJ’s ‘causality test’: if the alleged loss of control is primarily attributable to the conduct of the data subject themselves, a claim for damages is ruled out.
Assessment
The reasoning behind the decision is convincing: the right to access serves to ensure control over personal data, not to deliberately create exploitable breaches of duty. The approach of determining intent to abuse by taking a holistic view of external evidence is also methodologically sound.
What remains debatable, above all, is the weighting of individual pieces of evidence – such as economic considerations regarding the plausibility of an interest in the newsletter, the assumed number of unreported cases, and the consideration of subsequent conduct during the proceedings.
It is noteworthy that the fact of the defendant not lodging a complaint with the data protection supervisory authority was taken into account when assessing his interest in obtaining access. However, the GDPR deliberately provides for both recourse to the supervisory authority and the direct judicial enforcement of data subjects' rights, as set out in Articles 77 and 79. The defendant’s decision to refrain from lodging a complaint was, therefore, consistent with the regulatory framework of the GDPR. The question of whether conclusions can be drawn about the weight of the supervisory or information interests at stake from the fact that the supervisory authority was not called upon is likely to provoke debate. It remains to be seen whether other courts will adopt this approach in future cases.
Thus, in practice, the defence of abuse must remain an exception, be based on specifically substantiated circumstances and be documented promptly; otherwise, the outcome will depend heavily on the trial court’s assessment of the facts.
Conclusion
The Arnsberg Local Court is implementing the ECJ’s guidelines consistently and in a practical manner. The decision strengthens the position of data controllers in clearly substantiated cases of abuse, without generally undermining the right to access under Article 15 of the GDPR.
In practice, the following remains crucial: a refusal must remain the exception, be based on a documented overall assessment, and carefully distinguish between merely unusual behaviour and deliberate attempts to provoke a claim.