Defending against abusive claims

The General Data Protection Regulation (GDPR) aims to strengthen the rights of data subjects and enables them to defend themselves against data protection breaches committed by data controllers. In contrast, exculpatory avenues available to companies are limited, which makes defending against claims more difficult. Given the data-subject-friendly nature of the GDPR, companies are faced with the question of how to deal with cases in which data protection claims are asserted abusively. For example, situations may arise in which alleged data protection violations are merely put forward to obtain financial compensation for harm that has not actually been suffered.

The principle of abuse of rights also applies under data protection law and prohibits the exercise of a right where a formal legal position is exploited in an excessive or improper way without a legitimate personal interest. In the context of data protection law, such situations may begin with a contact enquiry via a corporate website or a newsletter subscription, but terminations of employment or the rejection of a job application can also regularly lead to the assertion of data protection claims, which must then be carefully examined by the data controller. The challenge for companies lies in fulfilling their obligations under data protection law and handling data subject requests correctly and within the required time frames on the one hand, and on the other hand in recognising, substantiating and successfully defending themselves against abusive claims.

Indicators of abuse of rights 

Proving intentional abuse of rights is generally difficult, with the burden of presentation and proof lying with the company. If the company succeeds in presenting sufficiently substantiated evidence indicating an abuse of rights, it is then for the claimant to refute these allegations.

A strong indicator is when an individual has already brought a large number of actions in similar cases (so-called 'serial claimants' or 'professional litigants'). These individuals typically search online for judgments in which compensation claims have been awarded or for fines already imposed, subsequently reviewing corporate activities for data protection breaches in connection with specific, relevant actions — such as newsletter subscriptions — in order to deliberately engineer an alleged harm. If such claims are asserted with solicitors’ letters, it may be worthwhile for companies to conduct a brief online search for the opposing solicitor. If the opponent’s solicitor openly advertises on their website a focus on pursuing data protection breaches, or boasts of successful mass warnings or collective actions and has made a business model of this approach, the possibility of an abuse of rights should be seriously considered. In such cases, it is advisable to consult the company’s data protection officer on a regular basis.

A further strong indication of an abuse of rights may be found where the claimant presents the alleged violation in an extensive and detailed manner, which is disproportionate to the infringement being raised. For instance, this may concern cases such as a data access request following a newsletter subscription or a rejected job application, where the personal data in question originates from the individual themselves. In such situations, claimants often elaborate at great length on the alleged violation, for instance due to supposed incomplete disclosure, when in fact the (allegedly) missing information provides little or no additional benefit to the data subject. If, following this, the individual offers to withdraw the claim in exchange for immediate compensation, it is clear that their real interest does not lie in the protection of their personal data (cf. EDPB guidelines 01/2022, para. 190).

Equally conspicuous are situations in which there was no prior relationship between the claimant and the company. For example, an individual might deliberately establish a legal relationship by signing up for a newsletter solely to assert potential data protection claims — such as for access to personal data or compensation — thereafter. In these cases, a very short period of time between the initial contact and the assertion of the claim can also be an indicator of an abuse of rights. However, from the company’s perspective, even if one or more indicators suggest such abuse, each case must still be assessed individually.

Challenges in defending against abusive legal claims

When defending abusive claims, various challenges arise. Potential solutions, as gleaned from case law, will always depend on the nature of the claim being asserted. 

Access Requests

Pursuant to Article 15 (1) GDPR, data subjects have the right to be informed whether and what personal data concerning them are being processed. Access requests facilitate the effective enforcement of data subject rights; therefore, there are no onerous requirements — such as the need to give reasons — imposed on the applicant. According to European case law, it is irrelevant if an access request is made for reasons unrelated to data protection (ECJ, decision dated 26.10.2023 – C-307/22). Access may, therefore, not be denied merely because the data subject pursues a different purpose than seeking knowledge about the data processing or verifying its lawfulness. Consequently, in cases where an access request is made in response to a company’s poor performance or an employment dispute, the company is not exempt from providing the information. However, this does not mean that the intent behind the access request must always be disregarded. At the latest, in cases of manifestly unfounded or excessive — frequently repeated — requests, provision of information may be refused or a reasonable fee may be charged under Article 12 (5) sentence 2 GDPR.

Moreover, access requests present the problem that the type and scope of information required are not always immediately clear, which can easily lead to doubts as to the completeness of the response. However, a mere suspicion of incompleteness is insufficient to compel the company to provide more extensive information (Federal Court of Justice, decision dated 15.06.2021 – VI ZR 576/19). If the data subject simply asserts, without supporting evidence, that the company holds further information that must be disclosed, fulfilling the access request may then be refused with reference to the original disclosure provided.

Claims for Compensation 

Article 82 (1) GDPR states: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” According to the case law of the Court of Justice of the European Union (ECJ), not every violation of the GDPR automatically gives rise to a right to compensation (ECJ, decision dated 4.5.2023 – C-300/21). In addition to a breach of data protection law, damage and a causal link between the breach and the damage are required; these prerequisites must also be proven by the claimant.

Problems arise in cases where compensation is sought for alleged non-material damage resulting from a violation of personal rights. This is because, in the CJEU’s view, the damage does not have to exceed a threshold of seriousness in order to be compensable, meaning that even minor non-material harms may potentially trigger a right to compensation. In cases of abuse of rights, it is often alleged, using template-like phrases, that the claimant has suffered a “loss of control” or is “annoyed”. While such a loss of control or the fear of data misuse can indeed constitute non-material damage, a mere assertion — without any proven negative consequences — is not sufficient. Without evidence provided by the claimant, there is no actionable loss of control, but rather only a purely hypothetical risk (ECJ, decision dated 25.01.2024 – C-687/21; Federal Court of Justice, decision dated 13.05.2025 – VI ZR 186/22). In scenarios involving deliberate self-harm, for instance when an individual visits a website with the expectation of encountering unlawful data processing, damages are generally to be denied. Similarly, compensation may fail due to a lack of causal loss of control if the alleged breach concerns data over which the data subject had already lost control due to prior disclosures by third parties.

Approach to Defending Against Abusive Claims

Serial claimants often make requests for information followed directly by claims for compensation due to the alleged incompleteness of the disclosure. Therefore, whenever a claim is asserted against the company, it should consider what the data subject is likely aiming to achieve. If there are indications pointing to an abuse of rights, investigations should be carried out and supporting evidence gathered. Consulting the company’s Data Protection Officer can be useful, as serial claimants may already be known to them. It is also important to monitor relevant data protection rulings and fines.

Due to the accountability under the GDPR, a company’s data protection activities should be comprehensively documented so that, in the event of a dispute, the technical and organisational measures taken to refute an alleged data protection breach can be demonstrated. This documentation should include the facts of the case and the communication history regarding an asserted claim or a subject access request. In particular, when handling access requests, internal workflows should be established and responsibilities clearly defined to ensure completeness.

Where there is a suspicion of abuse of rights, various countermeasures can be considered to successfully defend against abusive claims. For evidently unfounded or excessive access requests, the company may, pursuant to Article 12 (5) sentence 2 GDPR, refuse to provide the information; however, the burden of presentation and proof lies with the company. Alternatively, the company may require a reasonable fee for providing the information. Furthermore, if there are doubts as to the identity of the requester, the company may request further information in accordance with Article 12 (6) GDPR. If the person making the request does not expressly seek access to “all” personal data processed, it is permissible to raise follow-up questions relating to the reason or subject matter of the request. Where there are signs of a serial claimant or a comparable business model operated by the opposing party, the existence of actual damage should be critically examined. In the case of legal representation, the authority of the solicitor should always be verified. In clear-cut cases, it may be appropriate to bring a negative declaratory action to establish that no data protection claims exist against the company. By contrast, it will only be in rare cases that the company itself will be entitled to claim compensation from the applicant — such as for interference with its established and operating business due to abusive conduct, as envisaged under section 823 (1) of the German Civil Code (BGB). 

Conclusion

Where personal data are collected, the GDPR confers extensive rights upon the data subject. As a matter of principle, every data subject request must be taken into account by the data controller and handled appropriately. However, there may be situations in which a data subject abuses their position to gain financial advantage. Typical points of dispute include access requests and claims for compensation after subscribing to a newsletter or receiving a rejection for a job application. There are various indicators that may point to an abuse of rights, such as the bringing of multiple claims in similar circumstances or the disproportionate elaboration of the alleged infringement. Caution is also advised if a claim is made very soon after a new legal relationship is established.

To successfully defend against unfounded claims, companies should be aware of the challenges which arise with regard to claims for access and compensation. Access requests must be responded to even where they are made for non-data protection-related purposes; however, in accordance with Article 12 (5) GDPR, they may be refused or made conditional on payment of a reasonable fee if the request is manifestly unfounded or excessive. In respect of claims for compensation, it should be noted that, unless there is clear evidence of a loss of control giving rise to liability, no damage will be deemed to have occurred, but rather only a purely hypothetical risk. In many cases there will also be an element of deliberate self-harm, which can serve as grounds for rejecting a claim for compensation. Companies are therefore advised to make inquiries, maintain comprehensive documentation, and structure their internal processes in line with data protection requirements. Ultimately, a range of countermeasures can be employed, such as asking follow-up questions regarding the purpose of the access request, challenging the existence of specific damage, or initiating a negative declaratory action.