Data controllers legally entitled to refuse excessive requests