- The ECJ confirms that Art. 57 (4) GDPR covers formal complaints pursuant to Art. 77 (1) GDPR.
- A high number of requests alone does not automatically make them “excessive”; the supervisory authority must prove intent to abuse.
- The supervisory authority bears the burden of proof for the manifestly unfounded or excessive nature of a request.
The Court of Justice of the European Union (ECJ) has ruled in the Judgment of January 9, 2025 (Rs. C‑416/23) to Exportegation of Art. 57 (4) GDPR, which has the following wording:
In the case of manifestly unfounded or – especially in the case of frequent repetition – excessive requests, the supervisory authority may charge a reasonable fee based on the administrative costs or refuse to act on the request. In this case, the supervisory authority bears the burden of proof for the manifestly unfounded or excessive nature of the request.
The ECJ initially confirmsthat the Term dhe “request” in Art. 57 para. 4 GDPR Formal complaints pursuant to Art. 77 (1) GDPR includes. However, according to the ECJ not only because of their number excessive” during a certain period of time. Rather, the supervisory authority must prove the intention to abuse.
The Austrian Data Protection Authority (DPA) had refused to investigate a complaint regarding a violation of the right of access because the complaint was manifestly unfounded or excessive.