Following on from our blog earlier in the week concerning the ECJ’s recent decision on data subject access requests (DSARs), we take a brief look at different European countries and the role that DSARs have come to play in these jurisdictions.
Belgium
In Belgium, DSARs are on the rise as a means of collecting information in preparation for a potential claim for unreasonable or discriminatory termination, or simply to put pressure on the employer to come to an agreement after termination, but this trend remains fairly modest and employers are certainly not being flooded with requests.
The Belgian Data Protection Authority has already had to rule on the excessive nature of (successive) requests, but it is generally quite accepting in this regard. Conversely, it is strict on employers: a request may be deemed excessive only if the aim is to harm the employer’s interests. The mere multitude of requests or the conflictual relationship between employer and (former) employee is not sufficient to refuse a request.
France
In France, DSARs have also been on the rise as a means of collecting information in all types of litigation started by employees and/or as a strategy to put pressure on the employer in various types of conflict. It has become so systematic and the scope of the DSARs so broad that privacy specialists, especially in-house specialists, have been alerting the French Data Protection Authority to the difficulties of answering them and the excessive amount of resources invested in dealing with them in recent years.
The French Data Protection Authority has issued lengthy guidelines detailing various scenarios on how data controllers can find the appropriate balance to rightfully answer DSARs in a proportionate way, especially in the case of employees requiring access to their personal data contained in emails.
The French courts have been hesitant on this and we have noted inconsistent decisions, or at the least decisions have been hard to navigate, some recognizing an absolute right for any individual, including employees, to exercise their right of access whatever the underlying purpose, and others recognizing a much more limited scope of what employees can ask as part of their right of access in the context of litigation.
Germany
In Germany, DSARs have increasingly become a standard tool in employment disputes, often used to exert pressure and negotiate higher severance payments.
We have also seen cases in which companies appear to have been deliberately targeted under false motives followed – upon rejection – by DSARs aimed at constructing compensation claims. While there has so far been no consistent line of case law among the German labour courts, some courts have taken a notably data subject-friendly approach, at times resulting in damages awards. Companies confronted with such applications should therefore carefully assess their response strategy and consider seeking legal advice at an early stage.
This judgment may encourage a more critical scrutiny of such practices. However, it is unlikely to mark a true turning point, as the burden of proving an abusive request remains with the data controller, setting a high threshold for rejecting access requests. The ECJ also makes clear that refusing a DSAR remains the exception.
Ireland
Irish employers are experiencing an increase in the strategic use of DSARs, particularly in contentious employment situations. What was once a relatively straightforward transparency tool is now routinely deployed as part of grievance escalation, pre‑litigation positioning, and even as leverage in settlement discussions. The trend is that DSARs are becoming broader, more sophisticated, and increasingly used to test the robustness of an employer’s HR and data‑governance systems.
The Irish Data Protection Commission (DPC) has repeatedly emphasised that DSARs must be processed promptly and not deprioritised simply because they arise in the context of a dispute. While the DPC has not issued a guidance note on DSARs in employment, its decisions and case studies consistently reinforce several themes:
- employers cannot refuse a request on the basis that it is “litigation‑driven”;
- they must be able to demonstrate active, documented searches; and
- they must justify any redactions with reference to specific GDPR exemptions.
The DPC has also stressed that delays caused by poor data‑mapping or fragmented HR systems are not valid excuses.
Against that backdrop, the recent ECJ judgment on “excessive” requests is timely; it confirms that a first DSAR cannot be dismissed as abusive simply because it is burdensome or linked to a dispute, which aligns closely with the DPC’s established position. For Irish employers, the message is clear: DSARs are a central feature of the employment‑law landscape, and organisations need mature, defensible processes rather than ad‑hoc responses.
Netherlands
In the Netherlands, as in other jurisdictions, the introduction of the GDPR has heightened employee awareness of their rights of access. In practice, some employees submit DSARs to prepare a defence against a (threatened) termination for underperformance or to support discrimination claims, though such cases remain relatively limited. In 2025, the Dutch Data Protection Authority (AP) received over 13,000 complaints and notifications, up from 7,100 in 2024, a reflection that individuals are increasingly exercising their GDPR rights.
A notable recent case involved DPG Media, which requested copies of ID from individuals submitting DSARs outside its secure login system. The AP ruled that this violated the GDPR’s obligation to properly facilitate access requests. On appeal, the Administrative Jurisdiction Division of the Council of State confirmed the violation and upheld the AP’s authority to impose a fine, which was ultimately set at EUR 262,500. While the DPG case did not involve an employment relationship, it highlights the importance of complying with GDPR obligations, as non-compliance can result in serious legal and financial consequences.
Poland
In Poland, DSARs aren’t a hot topic (yet), and the Polish Data Protection Authority has not ruled on the use of DSARs in an employment context.
United Kingdom
The UK is increasingly seeing the use of DSARs as a pre-litigation tool. Whilst there have previously been efforts through draft legislation to relieve the burden of DSARs (including refusal of ‘vexatious’ requests), such amendments were not ultimately applied. However, the amendments proposed under the European Omnibus Package could mark a significant change to the way in which DSARs are used, particularly in the forementioned circumstances, where they are being used as a pre-litigation tool.
The proposed amendments would provide data controllers with the opportunity to charge a reasonable fee or, in the alternative, refuse requests where the data subject ‘abuses’ the rights under GDPR for a reason other than the protection of their data. It will remain to be seen what this means in practice and how such ‘abuses’ can be defined, but this would be a welcomed change by employers. This is particularly so as we see the use of AI exacerbate the already extensive time and efforts being spent responding to DSARs and particularly where it becomes clear that the individual is searching for information other than their personal data.
The use of AI, either to make or support a DSAR, and to review the output of DSARs is another trend in the UK. This can have a significant impact on the proportionality of the request and requires employers to take further steps to consider reasonable and proportionate searches, including consideration of appropriate date parameters, suggested custodians, etc. However, employers should be mindful that, just because a DSAR appears excessive, it does not automatically mean it is complex and requires an extension, for example.
The scope of items which may be caught in a DSAR is something else where there has been a shift, with the outputs from technology tools potentially being captured in DSAR outputs. As an example, we have recently seen the outputs from Microsoft Co-Pilot captured, this being something which at the point of use by an employer was not anticipated as being disclosable.
Use of recordings and transcripts is another area where challenges have arisen. Where any recordings are taken, for example to capture investigation meeting notes, it is important to be clear with all parties that this is happening and the manner in which that will take place and how it will be used. A failure to do so can prove problematic if a data subject subsequently receives a transcript of a meeting that was not meant to be recorded or which they were not informed of within their DSAR output.
