Enforcement Trends in DSR Handling: Key Lessons from Recent EU Decisions

Over recent months, data protection authorities have issued rulings that expose common failings in the handling of data subject rights requests (DSRs). While these were isolated complaints, the supervisory authorities found that the organisations involved lacked internal procedures, failed to provide legally reasoned responses, and could not demonstrate accountability when challenged. These rulings confirm that even a single mishandled request can trigger enforcement if the response is not lawfully and transparently managed.

This article does not provide an exhaustive analysis of the decisions but rather presents practical compliance lessons that are broadly applicable across sectors.

Update – Amazon Europe Core S.à r.l. (Luxembourg, March 2025)

On 19 March 2025, Amazon Europe Core S.à r.l. lost its appeal before the Luxembourg Administrative Court against the €746 million fine imposed by the CNPD in 2021. While the decision primarily concerned unlawful profiling and consent practices, the CNPD reportedly also identified failures in handling data subject access, rectification, erasure, and objection requests as part of the infringement.

Although the full decision remains unpublished—in line with Luxembourg procedural rules, which require final exhaustion of appeals before publication—this development adds weight to a broader trend: European data protection authorities are increasingly scrutinizing the handling of individual rights requests, even when enforcement actions are not solely focused on DSR compliance.

Société A – Recurrent Failures to Respond to DSARs Lead to CNPD Fine (Luxembourg, January 2025)

In a fully reasoned and published decision, the Luxembourg CNPD fined a Luxembourg-based credit institution (“Société A”) €175,000 for persistent failures to respond to data subject access requests (DSARs). The decision, issued on 6 January 2025, followed 47 validated complaints filed between 2018 and 2022, mostly by individuals across the European Economic Area (EEA) who had used the company’s website to submit requests under Articles 15–22 GDPR.

The investigation found that Société A repeatedly failed to respond within the one-month deadline imposed by Article 12 para. 3 and did not provide any valid justification or notification of delay under Article 12 para. 4. One of the central failures identified was a long-standing misconfiguration of the DPO’s email inbox, which incorrectly filtered DSARs as spam. This issue remained unresolved for over a year, and crucially, the company failed to detect it internally—only correcting it after intervention by the CNPD.

Other issues involved operational inertia, since even in the face of growing numbers of complaints, the company did not implement corrective measures or show initiative in addressing request backlogs.

Although the company later implemented improved procedures, the CNPD found these changes came too late and did not mitigate the original breaches. The authority emphasised that even in the absence of intentional misconduct, negligent handling of DSARs by a large, regulated entity merited both a reprimand and a fine.

Belgian Telecom Provider – Fine Reduced but GDPR Violation Confirmed (Belgium, 2024–2025)

In August 2024, the Belgian Data Protection Authority (APD) fined a telecom provider €100,000 for failing to lawfully respond to a DSAR submitted in January 2022. The data subject had asked for a log of personal data access events, including dates, employee identifiers, and purposes because he suspected a misuse of his personal data. The company delayed its response by 14 months, repeatedly sought unnecessary clarifications, and ultimately claimed it was technically unable to generate such logs.

The APD found that the company had violated Articles 12 para. 2, 12 para. 3, and 15 GDPR. It failed to facilitate the exercise of the data subject’s rights, did not timely communicate the reasons for its delay, and did not respond in accordance with the GDPR deadlines and requirements. Additionally, the company had not redirected the request to its DPO. The controller ultimately responded only during the APD’s legal proceedings, after the violation had persisted for over a year.

In January 2025, the Belgian Markets Court reviewed the case (No. 2024/AR/1615). While the GDPR violation was upheld, the Court reduced the original €100,000 fine to €5,000, citing the isolated nature of the incident, the absence of intent, and the company’s eventual compliance and internal remediation measures. The Court confirmed that the infringement stemmed from employee error, not a systemic issue.

What Went Wrong—and How to Fix It

The enforcement decisions highlight recurring compliance failures. For each, we draw a direct corrective measure that every controller should implement.

No working DSR management system

Organisations lacked a structured DSR workflow. Requests were delayed, misclassified, or ignored due to procedural gaps.

Controllers must establish a defined DSR governance process covering intake, routing, legal assessment, response, and closure—for all rights under Articles 15–22 GDPR.

No justification or documentation of delays or refusals

Organisations were unable to demonstrate how or why key decisions in the DSAR process were made. Legal justifications were either missing or undocumented.

Controllers must systematically record the reasoning behind every outcome—whether a request is delayed, refused, or partially fulfilled. This internal documentation is not optional: it is essential to meet the accountability obligation under Article 5 para. 2 GDPR.

Lack of communication with data subjects

Authorities found repeated failures to inform data subjects about the status of their requests, including extensions or grounds for rejection.

Controllers must communicate proactively: acknowledge receipt, notify delays within the one-month deadline, and deliver decisions that are justified, legally grounded, and written in accessible language.

No escalation to the DPO or qualified staff

Requests were mishandled by untrained staff and not escalated when necessary. In one case, the DPO was never involved and was falsely reported as unavailable.

Controllers must ensure that all relevant personnel are trained and that DSR Management procedures are enforced. Any request involving legal uncertainty, delay, or potential refusal must be referred to the DPO or qualified privacy counsel. Their involvement is not optional—especially in regulated or high-risk contexts.

Faulty or unmonitored intake channels

In one case, a misconfigured spam filter blocked legitimate DSARs for over a year. The issue was not detected internally.

Controllers should regularly test and validate all intake channels—email inboxes, web forms, contact portals—to ensure accessibility, functionality, and monitoring.

Conclusion

These rulings send a clear message: mishandling even a single DSR can result in enforcement. The right of access is not a soft obligation—it is central to data protection, and authorities are increasingly attentive to how it is operationalised.

Compliance with data subject rights must be structured, documented, and legally sound. Where legal complexity arises, involving your DPO or privacy counsel is not best practice—it is operational necessity.