What is GDPR Hopping?
Increasingly, applicants use the recruitment process not to genuinely pursue employment but to subsequently assert data protection access rights under Article 15 GDPR. This practice is known as “GDPR hopping.” The primary objective is typically to confront employers with access and compensation claims.
Common patterns include multiple identical or highly similar applications, followed by standardized access requests. Shortly thereafter, applicants often demand compensation for non-material damages, claiming delays or incomplete responses as justification.
How Can Employers Identify GDPR Hoppers?
Typical indicators include:
- Applications showing no genuine interest in the position
- Significant distance between the applicant’s residence and the workplace
- Excessive or unrealistic salary expectations
- Standardized access requests, often drafted in legalistic language
- Prompt demands for compensation or settlement payments
These patterns suggest that the applicant’s aim is not genuine employment but the creation of claims.
If such patterns are detected, immediate action is recommended to avoid unnecessary payments. Our firm provides confidential and complimentary case evaluations.
Typical Claims: Access, Compensation, Non-Material Damages
GDPR hoppers usually rely on two main points:
- The right of access under Article 15 GDPR, often used to identify formal errors
- Claims for non-material damages, frequently referred to as “pain and suffering”
However, courts increasingly emphasize that delayed or incomplete access does not automatically trigger compensation. Mere “discomfort” is insufficient; demonstrable, concrete harm must be proven.
Case Law on GDPR Hopping
To date, there are no supreme court rulings specifically addressing GDPR hopping. Nevertheless, jurisprudential trends are clear: access requests manifestly aimed solely at claim generation may be considered abusive.
Several courts have ruled that merely asserting a loss of control over personal data is insufficient to justify non-material damages (e.g., Federal Labour Court, judgment of 20 February 2025, Ref.: 8 AZR 61/24). Further details are available in this LTO article (German).
Recently, the Advocate General of the CJEU stated (Opinion in Case “Brillen Rottler,” 18 September 2025, C-526/24) that access and compensation claims under the GDPR may be voided if an individual knowingly subscribes to a newsletter and shortly thereafter requests access solely to provoke compensation claims. Such conduct may be deemed abusive. More details here (German).
Courts increasingly insist that mere allegations are insufficient. Obtain our assessment now to understand how courts might evaluate your situation.
How Should Employers Respond?
- Take requests seriously, but verify legitimacy: Not every claim is justified
- Monitor deadlines carefully: Avoid unnecessary delays
- Document thoroughly: Keep precise records of procedures and communications
- Maintain legal awareness: Courts require concrete evidence of damages
- Prevention: Establish clear processes for handling applicant data
This approach helps employers avoid unnecessary payments and protracted proceedings while fully complying with their obligations.
Support from Our Law Firm
Our firm assists employers in legally assessing and countering GDPR hopping. We determine whether access rights genuinely exist, identify potential abuse, and recommend effective defense strategies. Simultaneously, we develop preventative solutions to ensure recruitment processes remain fully GDPR-compliant and legally secure.
