As data protection professionals, we see the value of strong individual rights under the GDPR. The right to access, rectify, and erase one’s personal data is foundational to the regulation’s spirit of informational self-determination. But there’s also a negative side to this that is becoming increasingly difficult to ignore: the weaponization of data protection rights to obstruct legitimate legal obligations.
In our practice, we have seen a rising number of cases where individuals invoke GDPR rights not to protect their data in any meaningful sense, but to frustrate opposing parties in court proceedings, avoid contract enforcement, or shield themselves from lawful consequences of their actions. These are deliberate attempts to reframe financial or employment-related disputes as data protection issues, usually with the intention of derailing or delaying enforcement mechanisms.
Erasure Requests as a Shield Against Debt
One of the most common tactics involves the right to erasure under Article 17 GDPR. A debtor disputes the existence or validity of a debt, not through the courts, but by requesting that all records of the debt be deleted under the GDPR.
This is not a winning strategy. Article 17 para. 3 lit. b states that the right to erasure does not apply when processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. Debt collection falls within that scope. And even if a court were to later find that the debt was invalid, the processing remains lawful up to that point since the legal basis existed at the time of the processing.
Yet the administrative burden of responding to these requests is a real issue. Data controllers are required to assess and respond to every erasure request within a month, with all the human labor and consulting fees that this requires. Even when the request is clearly unfounded, the time and resources spent documenting the refusal can be considerable.
Complaints to Supervisory Authorities as a Pressure Tactic
Another pattern we have identified is the filing of complaints with supervisory authorities, alleging unlawful processing or disclosure of personal data whenever a controller engages a debt collection agency. In many cases, the only alleged “unlawfulness” is that the complainant’s data was used in relation to a debt they claim not to owe.
These complaints often collapse under scrutiny. Debt recovery is a legitimate interest of controllers, and disclosure to a third-party service provider for that purpose is generally lawful. But again, the objective is not to win on the legal merits, but to create friction and shift the forum. Disputes that belong in the civil courts (about whether a debt is owed or a contract was fulfilled) are recast as GDPR violations.
This trend strains the resources of supervisory authorities, which must spend time and effort resolving these often-meritless complaints. It also forces controllers into a posture of defensive bureaucracy and risks diluting the purpose of individual rights.
Access Requests in Labor Disputes
A comparable tactic appears in employment contexts, where current or former employees engaged in, or anticipating, labor litigation submit broad subject access requests under Article 15 GDPR. In cases involving decades-long employment, or email access requests, fulfilling such requests can demand extensive hours of document searches, filtering, and redaction, which in some cases means that responding to the access requests comes at a high cost.
Although Article 12 para. 5 allows controllers to refuse manifestly unfounded or excessive requests, the bar is high and legal uncertainty often pushes employers to comply fully. This turns the access request into a procedural instrument to increase pressure and wear the employer down.
Final Thoughts
While supervisory authorities already screen out a significant number of clearly unfounded complaints, the volume that still advances shows the limits of this filtering. Complaints rooted in civil or labor disputes, framed as GDPR issues, continue to consume regulatory and controller resources. Stronger criteria for identifying and dismissing such tactical uses of data protection rights would help ensure that supervisory intervention is reserved for matters involving genuine privacy concerns.
Controllers can reduce exposure by:
- Maintaining detailed and up‑to‑date records of processing activities, especially where data is retained for legal claims or debt enforcement.
- Applying retention schedules rigorously: set clear retention periods, delete data as soon as those periods expire, and avoid storing more than is strictly necessary.
- Ensuring privacy notices clearly explain when and why personal data will be retained, including in the context of legal disputes.
- Where third parties (such as debt collection agencies) are involved, keeping data processing agreements airtight and ready to undergo regulatory scrutiny.
The GDPR is not a universal lever that can be pulled for any purpose. Data protection rights exist for the protection of dignity, autonomy, and fairness in the digital age. When individuals exploit these rights to avoid accountability, they erode the credibility of the entire field and divert resources away from genuine privacy matters.