Understanding Data Subject Access Requests: new developments shaping the right of access

The purpose of the right of access

Guidance issued by the EDPB in 2023 (Guidelines 01/2022) emphasises that the right of access is intended to give individuals visibility of how their personal data is processed. This enables them to verify that processing is lawful, confirm the accuracy of the information held about them and exercise additional rights such as objection or erasure. Access is therefore a mechanism for oversight and accountability rather than a route to obtain broad categories of documents.

A recent decision from the Paris Court of Appeal reinforces this principle. The court held that the right of access does not extend to professional email correspondence an employee is already aware of, particularly where the only personal data contained is their identity. In this case the employer had already provided the personnel file and the court agreed that withholding email content did not infringe the right of access. The judgment underscores that access must be assessed in line with the purpose of the right rather than as a disclosure exercise.

European developments: the Brillen Rottler case

At EU level, the Brillen Rottler case (C‑526/24) offers important clarification on when a DSAR may be considered abusive. The request arose after an individual subscribed to a newsletter and then, shortly afterwards, exercised their right of access. The controller rejected the request as abusive, noting that the requester was known for similar actions, and the Court ultimately agreed.

The judgment sets out criteria controllers may rely on to determine whether a request is excessive or made for reasons unrelated to verifying the lawfulness of processing. Relevant factors include whether the individual is exercising the right for an ulterior purpose, whether the data was freely provided, the context and timing of the request and the behaviour of the requester. While the decision provides controllers with greater scope to refuse or narrow certain requests, the burden of proof remains high. Refusal must be justified, evidence‑based and never the default.

Implications for organisations in Ireland

These developments are particularly relevant in Ireland where DSARs are frequently submitted in advance of litigation or employment disputes. Many of these requests may not be made to verify the accuracy or lawfulness of processing, yet organisations must still approach each request with care.

The recent case law signals a shift toward recognising that DSARs can be misused but confirms that controllers must be able to clearly demonstrate why a request is excessive or abusive before refusing it. Robust internal procedures, consistent documentation and an understanding of the factors outlined in case law will be essential as access rights continue to be tested in practice.

DSARs can act as a serious overhead for organisations and result in distracting DPO’s and data protection teams from valuable work, see here to learn how Forvis Mazars can help: Outsourced Subject Access Requests