THE BOTTOM LINE
- Motive Doesn’t Matter: Companies cannot refuse a GDPR data access request by arguing the user is simply “fishing for evidence” for a lawsuit. The Amsterdam court confirmed that the requester’s motive is irrelevant.
- GDPR as a Discovery Tool: This ruling effectively allows individuals—customers, former employees, or litigants—to use GDPR’s Article 15 as a powerful, low-cost tool for pre-trial discovery to build a legal case.
- High Bar for Refusals: Attempting to use national law exemptions to block data access requests faces an uphill battle. Courts will interpret these exceptions narrowly, requiring proof that a claim is actual or imminent and that withholding data is “strictly necessary.”
THE DETAILS
A group of 19 former users of the Unibet online casino brought a case against its operator, Risepoint Limited, in a summary proceeding before the Amsterdam District Court. The users had each submitted a data access request under Article 15 of the GDPR, demanding a full overview of their transaction histories, including all deposits and withdrawals. Risepoint refused to comply, arguing that the requests were an abuse of right. The company claimed the users’ true intention was not to verify their data’s integrity but to gather evidence for future lawsuits aimed at reclaiming gambling losses.
The court decisively rejected the company’s “abuse of right” defense. Citing a key ruling from the Court of Justice of the European Union (ECLI:EU:C:2023:811), the judge affirmed that a data controller’s obligation to provide a copy of personal data is not dependent on the requester’s reason for asking. Even if the primary goal is to prepare for litigation, the right of access under the GDPR remains intact. This judgment sends a clear signal that companies cannot simply dismiss data access requests by questioning the user’s motives, significantly limiting a common defense strategy.
Furthermore, the court dismissed Risepoint’s attempt to rely on a provision in the Maltese Data Protection Act. The company argued that Maltese law allows for the restriction of data access rights when necessary for the “establishment, exercise or defence of a legal claim.” However, the court interpreted this exception narrowly. It ruled that a hypothetical or potential future lawsuit is insufficient grounds for refusal. For such an exemption to apply, a company must demonstrate that a legal claim is “actual” or “imminent” and that withholding the data is “strictly necessary“—a high threshold that was not met. The court ordered Risepoint to provide the complete transaction histories in a standard electronic format (like CSV or XLSX) within 21 days.
SOURCE
Source: Rechtbank Amsterdam
