The European Union’s General Data Protection Regulation (GDPR) represented a major step forward in the protection of personal data, however data subjects often abuse the rights granted to them under the GDPR, which significantly complicates the daily operations of controllers.

A recent judgment has highlighted, that the right of access also has limits. In a case involving an online casino, the Landgericht Dortmund (Dortmund Regional Court) ruled that the rights of data subjects cannot be exercised abusively.

What was the case about?

On 8 of April 2025, the Dortmund court ruled in a dispute concerning online gambling, in which it found that the right of access under the GDPR had been exercised abusively.

The data subject – who had previously played at an online casino – intended to bring a damages claim on the grounds that the casino had operated for a period without a licence in Germany. The player claimed, that during this period he had made significant deposits into the casino but had not lost the full amount in gambling, and therefore the casino was obliged to reimburse the non-lost portion, he thus sought to enforce this loss before the court. However, he was unable to show when and how much money he had lost in total, had no records regarding the games and losses, he could not substantiate either that not all deposits had been lost or to specify what exact amount might still be owed by the casino.

The unfortunate player sought to resolve the issue by relying on the right of access guaranteed under the GDPR. Resourcefully, he reasoned that the GDPR’s definition of personal data also encompassed the games played and their outcomes, and, given that such data would be necessary for the resolution of any potential dispute, he assumed with good reason that the casino retained these records for its own protection. Accordingly, the individual exercised the possibility guaranteed under the GDPR and submitted an access request to the casino, seeking disclosure of all data relating to him, including the records of games and losses, in order to calculate the exact amount he might claim back.

However, his plan failed at the first step: the casino rejected his request, considering it abusive, and refused to disclose the data, arguing that the applicant intended to use them not for purposes consistent with the objectives of the GDPR, but rather for the preparation of litigation to be initiated on a basis independent of the GDPR.

The data subject considered the casino’s refusal unlawful and therefore brought the matter before the court, requesting the disclosure of the data and, if the data showed that the casino indeed owed him money, a judgment ordering repayment of the non-lost amounts. Contrary to the plaintiff’s expectations, the court ruled in favour of the casino, holding that the request constituted an abuse of rights, and consequently dismissed the claim for payment in the absence of the data.

Why was it considered abuse?

According to the article 12 (5) (b) of the GDPR, controllers may refuse to act on request for access where the request is “manifestly unfounded” or “excessive.” The court interpreted this provision of the GDPR as not being exhaustive or exclusive, holding that a controller may also lawfully refuse to comply with a request for access in other circumstances where the request amounts to an abuse of rights.

The judgment emphasised that the purpose of the right of access is not to enable a person to use the GDPR as a means of evidence gathering prior to or during litigation, but rather to ensure the transparency of processing operations and to allow the data subject to verify whether processing is carried out lawfully and in accordance with the information provided by the controller. This is also reflected in the preamble 63 GDPR, which states that “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.” However, in this case the plaintiff did not seek to verify what data the casino held about him or whether it was lawfully processed – but merely wished to determine how much money he had lost and to use this information as the basis for a damages claim.

The court further compared the situation at issue with other, similar contexts in which the data subject does not have access to his or her own data. typical example is access to health data: a patient often cannot access, and does not hold, all information, test results or medical records concerning him or her. In such cases, the patient genuinely has no other realistic possibility than to rely on the data stored by the physician, and it cannot reasonably be expected that the patient would maintain records, even retrospectively for several years. By contrast, in the court’s view, a player – who could have kept records of his gambling losses himself – is not in the same situation of necessity.

Therefore, the court found that the plaintiff’s request went beyond the purpose of the right guaranteed by the GDPR, and that such an exercise of the right amounted to an abuse of rights. This judgment represents a rare example of a court refusing to grant the right of access on the ground of abuse of rights.

The judgment is of particular significance because, in general, courts tend to side with data subjects and interpret the concept of “abuse of rights” narrowly. In this instance, however, the Dortmund court underlined that:

• The GDPR cannot be used for every purpose, in particular not for the preparation of civil lawsuits.
• The legal instruments established for the protection of personal data do not replace the information-gathering mechanisms available under civil procedural law.

This serves as a warning to both to data subjects and lawyers: the GDPR is a powerful tool, but not a Swiss Army knife to be deployed for any purpose.

The Court of Justice of the European Union (CJEU) has held in several cases (e.g., in C-307/22, C-416/23, C-38/21) that EU law prohibits the abusive exercise of rights. This general principle has now also been applied in the context of the GDPR in an individual case.
 
What does this mean for us in Hungary?

Given that the decision was rendered in Germany, it has no direct effect on Hungarian users for the time being. In the case the practice will be adopted, the GDPR will continue to protect the rights of data subjects, if we wish to know what personal data a controller holds about us, on what legal basis, and for what purposes it is used, we are entitled to request access. However, such an access request should be used for the genuine purposes of the GDPR. This, for example, if we want to verify whether an online store has deleted our old address, or if we suspect unlawful processing, it is entirely appropriate to submit a request. What will likely not be permissible is to use the GDPR as a “weapon” or a loophole. If we intend to bring an action against someone but do not know exactly what we want to claim, the necessary information and evidence should be obtained under the rules of civil procedure, not by abusing the instruments of data protection law.

dr. Kitti Humbert / Zoltán Fischer