Workload is no excuse: Belgian DPA reaffirms large impact of right of access

Partnerblog

In a decision dated 6 May 2026 (No. 97/2026), the Belgian Data Protection Authority (DPA) once again underlines how far-reaching the GDPR right of access really is. In particular, it makes clear that employers cannot rely on practical difficulties or internal workload to limit or avoid complying with such requests.

Access requests can only be refused in exceptional situations – namely where they are manifestly unfounded or excessive.

Facts

The case concerned a technician who asked his employer for access to, and a copy of, all his timesheets over a five‑year period. These documents detailed his daily activities and travel, based on his own handwritten notes. The purpose of the request was straightforward: to verify whether his working time had been correctly recorded and paid.

The employer only provided a single timesheet. It argued that retrieving and copying the remaining documents – which were archived by day rather than by employee – would require a disproportionate administrative effort. As an alternative, the employer offered the employee the possibility to examine the documents on-site and identify the relevant records himself. The employee considered this insufficient and filed a complaint with the DPA.

What did the Litigation Chamber of the DPA say?

Valid and sufficiently specific request

The DPA rejected the employer’s argument that the request was unclear or insufficiently substantiated, reiterating that a data subject does not need to provide the reasons for exercising the right of access. The request was sufficiently specific, as it concerned a defined category of documents over a five‑year period. The DPA also stressed the employer’s duty to cooperate proactively: if a request is unclear, clarification must be sought, and any (partial) refusal must be communicated and reasoned within one month. By merely offering on-site access without issuing a formal response, the employer breached its GDPR obligations. The DPA further confirmed that the right of access includes obtaining a copy in a durable format, meaning that on-site inspection alone is, in principle, insufficient.

No manifestly unfounded or excessive request

The employer claimed that the request was excessive due to the significant workload involved in retrieving, copying, and anonymizing the documents, in particular given its archiving system. It argued that additional staff would need to be hired to deal with such requests.

The DPA recalled that a request can only be considered manifestly unfounded or excessive in exceptional cases of abuse of rights, notably where the request is made solely with the intention of causing harm to the controller (the employer).

According to the DPA, abuse of rights requires both an objective and a subjective element. As regards the objective element, the DPA found that the purpose of the right of access was genuinely pursued in this case: the employee sought to access their personal data and verify its accuracy. Even if the request was (also) motivated by another purpose, for instance in the context of an employment dispute, this does not undermine the exercise of the right of access.

As regards the subjective element, the employer failed to demonstrate that the employee had artificially created the conditions for the application of the GDPR in order to obtain an undue advantage. The performance forms had been drawn up in the context of a long-standing employment relationship, and the access request was only made several years later. There was therefore no evidence of intentional abuse.

Finally, the DPA stressed that the workload associated with handling an access request cannot, in itself, render that request excessive, particularly where that workload results from the employer’s own internal organization or archiving system. The GDPR does not contain a general proportionality limitation that would allow the right of access to be restricted on grounds of efficiency or cost. On the contrary, the employer is required to facilitate the exercise of data subjects’ rights and to organize its systems in such a way that those rights can effectively be exercised.

Third-party data

The employer argued that the performance forms might contain data relating to third parties, such as customers and colleagues of the employee. While the DPA acknowledged that the documents could contain third-party data (e.g. customers or colleagues), it clarified that this cannot justify a complete refusal. The employer must instead take appropriate measures, such as anonymization, to still provide a copy. Moreover, the DPA noted that granting unrestricted on-site access could increase the risk of unlawfully disclosing third-party data.

Sanction

The DPA issued a warning and ordered the employer to provide the employee with a copy of the requested performance forms within one month.

Key takeaway

Employers should not underestimate access requests. Even when they involve large volumes of data or complex archiving systems, the DPA expects full compliance – unless the strict threshold of “manifestly unfounded or excessive” is met. Workload or a complex classification system is not a valid excuse.

Authors

Juliette Depuydt, Inger Verhelst

Delen