On 19 March 2026, the Court of Justice of the European Union (“CJEU”) delivered an important judgment concerning data subject access requests (“DSARs”). In Brillen Rottler GmbH & Co. KG v TC (Case 526/24), the CJEU clarified when a DSAR may be considered “excessive” and an abuse of one’s data protection rights under Article 12(5) GDPR. The CJEU also clarified the limits of data subjects’ right to compensation under Article 82 GDPR.
Background
A data subject in Austria subscribed to the newsletter of a German optician (“the controller”), by entering his personal data in the registration form available on the company’s website, and consenting to the processing of this data. Just thirteen days later, the data subject submitted a DSAR under Article 15 GDPR. The DSAR was refused on the grounds that it was abusive under Article 12(5) GDPR, and the data subject claimed €1,000 in compensation for non-material damage suffered as a result of the DSAR refusal, pursuant to Article 82 GDPR. The controller submitted that it was apparent from various public sources that the data subject systematically and abusively made DSARs for the sole purpose of obtaining compensation for an alleged infringement of his data protection rights, which he deliberately provoked.
Following proceedings brought in the German District Court by the data subject based on the controller’s refusal to respond to the DSAR, the German Court referred a number of questions to the CJEU. Those questions focused in particular on:
- whether a first DSAR may be regarded as “excessive” under Article 12(5) GDPR, and if so, what circumstances make it possible to establish such excessive character;
- whether Article 82(1) GDPR must be interpreted as conferring on the data subject a right to compensation for the damage resulting from an infringement of the right of access provided for in Article 15 GDPR, and
- whether Article 82(1) GDPR must be interpreted as meaning that the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether those data have been processed.
Last year, Advocate General Szpunar delivered an initial Opinion as to when a DSAR may be refused due to being “excessive” (previously discussed here). The CJEU has now delivered its final ruling which is broadly in line with the Advocate General’s Opinion. This judgment provides welcome clarity on the scenarios where a controller may refuse a DSAR or charge a reasonable fee on the grounds that it is abusive and constitutes an “excessive” request under Article 12(5) GDPR, and the circumstances when compensation can be awarded for non-material loss suffered by a data subject pursuant to Article 82(1) GDPR.
CJEU Judgment
The CJEU found as follows:
- A first DSAR may be refused on the grounds that it is abusive and “excessive” under Article 12(5) GDPR. Accordingly, excessive requests are not limited to “repetitive” requests.
- In regard to what circumstances make it possible to establish such “excessive” character under Article 12(5) GDPR, the CJEU ruled that an abusive intention may be found where the data subject has made the request other than for the purpose of being made aware of the processing of their personal data and verifying the lawfulness of the processing, such as to artificially create the conditions for a compensation claim.
- In considering whether an abusive intention exists, the controller may have regard to factors such as whether the data subject provided personal data without being required to do so; the aim of providing their personal data; the conduct of the data subject generally, and the time between the provision of their personal data and submitting the DSAR. The controller may also have regard to any publicly available information showing the data subject’s history of systematically making DSARs, followed by claims for compensation to various controllers. The burden rests on the controller to establish that there is abusive intention on the part of the data subject.
- The right to compensation provided for in Article 82 GDPR is not limited to damage resulting from the “processing” of personal data. Article 82 GDPR provides a right to compensation where there is an infringement of the GDPR, including damage resulting from an infringement of the right of access under Article 15 GDPR.
- In order to obtain compensation under Article 82 GDPR, the data subject must establish (i) an infringement of the GDPR; (ii) the existence of material or non-material damage; and (iii) a causal link between the infringement and damage.
- The causal link between the alleged infringement and the alleged damage may be broken by the conduct of the data subject, provided that that conduct proves to be the determining cause of the damage. Accordingly, a data subject will not be entitled to compensation under Article 82(1) GDPR for damage allegedly suffered as a result of the loss of control over his or her personal data or as a result of his or her uncertainty as to whether those data have been processed, where the causal link is broken by the data subject’s conduct, insofar as that loss of control or that uncertainty was caused by the data subject’s decision to submit those data to the controller with the aim of artificially creating the conditions laid down for the application of that provision.
The dispute will now be decided by the German District Court in light of the answers provided by the CJEU.
Comment
The CJEU’s ruling will be welcomed by controllers to the extent that it clarifies that even a first DSAR may be deemed “excessive” and refused if it was made with an abusive intention, such as that of artificially creating grounds for a compensation claim rather than to be informed of the personal data processed about them and to verify its lawfulness.
However, it is important to note that this decision does not provide an open door to controllers to refuse vexatious DSARs. In order to refuse a DSAR on the grounds of its “excessive” character, controllers will have to clearly demonstrate an abusive intention on the part of the data subject in making the DSAR. Proving such an abusive intention remains a high bar. As the CJEU stated in its decision “since the concept of ‘excessive requests’ must be interpreted restrictively …a controller may rely on such excessive character only exceptionally”.
This judgment will also need to be considered in parallel with the Digital Omnibus Regulation, once finalised. The draft Regulation (previously discussed here) similarly seeks to clarify when controllers can refuse or charge a reasonable fee for abusive DSARs on the grounds that they are “excessive” under Article 12(5) GDPR.
Contact Us
For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact.