Mass, automated GDPR data subject access requests from all over Germany?

 New online portal leads to mass GDPR data subject access requests - and affects many uninvolved companies

Albrecht von Wilucki, Rechtsanwalt der Kanzlei Buse Heberer Fromm
Albrecht von Wilucki, LL.M. (Boston Uni.)
Rechtsanwalt, Attorney at law

Person is buried under a mountain of files (slips of paper). The right hand sticks out of the files and stretches upwards

Blog: Commercial Law - Article from 19.03.2025
An online portal advertises that it can help you regain control over personal data subject access requests ("DSAR"). The service is very low-threshold and allows automated access requests to be sent to entire industry lists free of charge. Minimal effort for the portal's customers, maximum effort for many companies that have no relationship with the (alleged) data subject.

The first major service providers to discover data protection and the mass assertion of data subjects’ rights as a business model have already disappeared. Now, a new portal is tries to establish an erasure flat rate via mass DASRs.

The registration process alone leads to mass, widely scattered requests

Users can register with their name, address and e-mail address and select companies to which they would like to send DSAR during the registration process. The portal helpfully offers a list of the best-known companies or for individual sectors. It is easier for the customer to select all the companies on the list than to think about who would actually be a relevant addressee for a DSAR. If a user does not select all, they have to deselect the companies (up to 100) individually in order to be able to register. So why bother being picky? – it doesn’t cost anything! Upon registration and confirmation of the provided email address – whether the data subject is known under this email address by the addressee of the request is never checked during the process – the selected companies immediately receive a DSAR without any further intermediate step by the user.

DSARs are largely useless

In terms of content, the letter poses a problem for the recipients: it only contains the name, address and email address provided during registration to identify the data subject. This information is often not sufficient to identify the data subject. In such cases, companies will usually request further information, as provided for in Art. 12 para. 6 GDPR. However, the email stating DSAR claims claims that requiring additional information is only permitted in exceptional cases. Some of the questions are also difficult to understand.

Large companies may be able to deal with automated requests for information of this kind in a routine and, above all, automated manner. Smaller companies that unexpectedly end up on a sector list of the portal for the simple assertion of DSAR or deletion requests may find themselves confronted with a large number of – largely useless – DSAR, which they nevertheless have to deal with and which they must generally respond to within the one-month period of Art. 12 para. 3 GDPR at the latest, even if they have nothing to do with the person making the request in many cases.

The users on whose behalf the requests are sent do not know the content of the DASR. Only if a recipient ignores the explicit request not to communicate by email (ironically sent by email including personal data the recipient may not have had before) and includes the automatically generated DSAR in their response directly to the user’s email address, will they be able to view them themselves.

Effort for the company – benefit for the operator

Isn’t it desirable in terms of data protection if the right of access and the right to erasure can be asserted as easily as possible and, in the best case, against all controllers who process the personal data of a data subject? Does this not (finally!) mean regaining control over your own data?

Of course, data subjects are entitled to data subject rights under the conditions of Art. 12-21 GDPR. An yet, it is doubtful whether this approach benefits data protection or the data subjects. The portal enables users to write to dozens or even hundreds of companies at the same time within 1-2 minutes. If only half of the (supposed) controllers respond to the access requests, the (supposed) data subject is overwhelmed by the flood of responses. Especially, as most of the responses will consist of requests for clarification regarding the identity of the data subject or the power of attorney of the portal. Thus, little is gained for the portal users, while the portal’s operator keeps numerous – often uninvolved – companies and their data protection staff from doing their actual work, namely improving practical data protection in the company. All this, so that a portal operator can sell its fee-based service – erasure requests. Users can buy individual erasure requests or sign up for an ‘erasure flat rate’ for a few days or as a monthly subscription. The operator therefore has no interest whatsoever in keeping the number of requests for information manageable. If the number and quality of the DSAR are anything to go by, then the expected resulted mass erasure requests are likely to pose similar problems for the recipients.

Conclusion

Data subject access requests must always be answered in a timely manner. We are pleased to help you organise your company processes in such a way that you can also deal with mass data subject access and erasure requests and, in individual cases, make use of exceptions to deadlines the GDPR provides to fulfill these requests. Coordination with the responsible supervisory authority can also be useful in individual cases.

If you have any questions, please do not hesitate to contact us.

The most important things in brief summarised

  • If companies are currently receiving more requests for information from persons unknown to them, this may be due to the fact that the company has been included in the industry list of an online portal for the simple assertion of data subject rights
  • Even poorly made requests for information must always be answered in a timely manner
  • Companies must design processes for dealing with requests from data subjects in such a way that they can handle a large number of requests.

Digital health platform with doctors, medicines and networked data on a smartphone symbolises an online pharmacy and e-prescriptions.

Blog: Commercial Law
BGH ruling: DocMorris does not violate the prohibition of prescription brokering
The charging of a turnover-based transaction fee is generally permitted
10.04.2025
Dagmar Waldzus

Supply Chain Due Diligence Act (LkSG) meets general terms and conditions

Blog: Commercial Law
Supply Chain Due Diligence Act (LkSG) meets general terms and conditions – or not? Structuring of the duties of care prescribed in the LkSG through general terms and conditions.
06.03.2025
Thomas Rinne

Sales via commercial agents and authorised dealers will remain essential even after Brexit. While commercial agents in both countries were protected by an EU directive until Brexit, UK law could move away from this in the future. Distributorship agreements are not specifically regulated by law in either country and are based on case law.

Blog: Commercial Law
Consequences of the termination of commercial agency and distributorship agreements under English and German. A post-Brexit perspective.
06.02.2025
Thomas Rinne, Stephen Morrall

Influencers: Are they commercial agents?

Blog: Commercial Law
Influencers: Are they commercial agents?
Attention when using social media marketing: the good old Commercial Code also applies there!
30.01.2025
Dagmar Waldzus

The European Union is introducing requirements for the sustainability of products.

Blog: Commercial Law
The European Union is introducing requirements for the sustainability of products. Manufacturers from the EU and from third countries are similarly affected.
12.12.2024
Thomas Rinne

Disruption in the supply chain - now what? Good contract drafting helps!

Blog: Commercial Law
Disruption in the supply chain – now what? Good contract drafting helps! Disruptions in the supply chain can be anticipated to a certain extent: Foreseeable problems should be proactively addressed and resolved by both parties during contract negotiations, as issues in the supply chain may later lead to problems in the contractual relationship.
24.10.2024
Dagmar Waldzus
Links

Professionals
Expertise
Blog us

BUSE

About us
List of partners
Contact
Imprint
Privacy Policy

Arrange a meeting

We can discuss your request directly in a personal meeting. We ensure absolute discretion and professional and honest advice.

…to our offices

© BUSE · Rechtsanwälte Steuerberater Partnerschaftsgesellschaft mbB