EU: CJEU Rules That a Single DSAR Can Be Refused as Abusive

By Ciara Kelly, Rachel de Souza & Benjamin Fellows on March 26, 2026

Posted in CJEU, Data subject access and opposition rights, ECJ; Article 29 Working Party;, EU privacy, General Data Protection Regulation, Privacy Law

Summary

On 19 March 2026, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-526/24, Brillen Rottler, clarifying that a data subject’s first request for access to personal data under Article 15 of the General Data Protection Regulation (GDPR) may be refused as “excessive”. The judgment also addresses the conditions under which compensation may be claimed under Article 82 of the GDPR where a controller refuses to comply with such a request.

Background

The case involved a German optician business, Brillen Rottler, and an Austrian resident (TC) who had signed up to receive the company’s newsletter by submitting his personal details via the registration form on Brillen Rottler’s website. Just under two weeks after doing so, TC lodged a data subject access request (DSAR) with Brillen Rottler pursuant to Article 15 of the GDPR.

Brillen Rottler refused the request, arguing that the request was abusive and pointing to publicly available material, including professional reports and legal newsletters, suggesting that TC routinely went through the same process with numerous companies – subscribing to a newsletter, then submitting an access request for the sole purpose of obtaining compensation when the request is refused. TC disputed this, claiming that his right of access was free to be exercised unconditionally. TC sought at least €1,000 in compensation for the non-material damage he claimed to have suffered as a consequence of the refusal.

The matter came before the Local Court in Arnsberg, Germany. The Court referred questions to the CJEU concerning two key issues: (i) whether a data subject’s very first access request is capable of being characterised as “excessive” under the GDPR; and (ii) whether a data subject may recover compensation where a controller has infringed the right of access.

The Judgment

Can a first request for access be “excessive”?

Article 12(5) of the GDPR provides that, where requests are “manifestly unfounded or excessive“, a controller may charge a reasonable fee or refuse to act, with “repeated requests” cited as an example of an excessive request. Brillen Rottler argued that this provision was not limited to repeated requests made to the same controller.

The CJEU agreed. The Court confirmed that a debut access request may, in certain circumstances, already fall within the meaning of “excessive” in Article 12(5). The mention of repeated requests in that provision is, the Court made clear, no more than one illustration of excessiveness and does not set the outer limit of the concept. The decisive question is not the number of requests for access made by the data subject but whether the request is driven by an abusive intention to engineer the preconditions for a compensation claim under Article 82 GDPR.

The Court anchored this reasoning in the well-established general principle of EU law prohibiting the abusive or fraudulent invocation of rights conferred by Union legislation.

In assessing whether abusive intent exists, the CJEU identified a number of relevant (but non-exhaustive) factors, including:

whether providing the data was voluntary or compelled;
the reason for which the data subject chose to provide those data in the first place;
the length of time between the initial data submission and the subsequent access request; and
the overall pattern of the data subject’s behaviour, including any publicly available information indicating that the individual has made comparable requests to a wide range of controllers and pursued compensation claims in each case.

Importantly, the burden of proof lies with the controller to demonstrate the existence of abusive intent. All circumstances of the individual case must be taken into account.

Compensation under Article 82 GDPR

On the question of compensation, the CJEU reaffirmed that the right to recover damages under Article 82 extends to breaches of the right of access, including where the infringement complained of does not involve any unlawful processing of personal data as such. The Court also confirmed that non-material damage within the meaning of Article 82 may include both loss of control over personal data and the anxiety or uncertainty arising from not knowing whether that data has been processed. The entitlement to compensation is, however, conditional: the data subject must establish that they have genuinely sustained the damage for which they seek redress, and a bare assertion of distress or anxiety will not suffice. The Court went further on causation, making clear that where the data subject’s own conduct is the primary driver of the harm they allege, the causal connection required to sustain a compensation claim will be treated as broken.

Comment

The Brillen Rottler judgment is a meaningful development for organisations that handle large volumes of DSARs and that have been confronted with what appears to be systematic, compensation-driven request activity. Whilst Article 12(5) GDPR has long offered controllers the theoretical possibility of refusing excessive requests, the practical scope of that provision has been uncertain, particularly in relation to first requests made by a data subject.

The Court’s clarification that a single, first-time request may be refused as excessive, provided the controller can demonstrate abusive intent, provides a more defensible footing for organisations seeking to challenge such requests. Equally significant is the Court’s ruling on causation under Article 82: where an individual has deliberately engineered the circumstances giving rise to a claim, the causal link between the controller’s conduct and any alleged damage may be broken.

That said, the judgment should not be read as a general licence to refuse DSARs that are merely inconvenient. The bar for establishing abusive intent remains a high one, and the burden of proof rests firmly with the controller. Organisations wishing to rely on Brillen Rottler will need to be in a position to gather and document objective evidence demonstrating that the request was made with the sole purpose of manufacturing a compensation claim, rather than exercising a fundamental data protection right.

It will be for the Local Court, Arnsberg, to resolve the underlying dispute in light of the CJEU’s answers, and it remains to be seen how national courts across the EU will apply the Court’s guidance in practice.