Weaponising Access Rights: CJEU Confirms Abusive Access Requests May Be Refused

On 19 March 2026, the Court of Justice of the European Union (CJEU) in Case C-526/24 (Brillen Rottler) held that a data subject's first access request may, in certain circumstances, be refused as "excessive" under the EU General Data Protection Regulation (GDPR), including where it is part of a deliberate attempt to generate a compensation claim. The decision provides important clarity for organisations faced with opportunistic or bad-faith data subject access requests (DSARs).

Background

In March 2023, a natural person residing in Austria (TC) subscribed to the newsletter of Brillen Rottler, a family-run optician company based in Arnsberg, Germany. TC subscribed by entering his personal data in the registration form on Brillen Rottler’s website. Thirteen days later, TC submitted a DSAR under Article 15 of the GDPR, which gives data subjects the right to obtain confirmation as to whether their personal data is being processed and, where that is the case, the right of access to that data.

Brillen Rottler refused the request for access and called on TC to withdraw it definitively, on the basis it considered the request to be abusive within the meaning under GDPR. After TC maintained his request for access, Brillen Rottler submitted a claim to the local court in Arnsberg, Germany (Local Court), arguing that various reports, blog articles and lawyers' newsletters showed TC had systematically and abusively made requests for access to his personal data for the sole purpose of obtaining compensation for GDPR infringements he had deliberately provoked. Brillen Rottler further submitted that TC’s approach constituted a deliberate provocation by first subscribing to a newsletter, then making a request for access, and finally submitting a claim for compensation.

By contrast, TC maintained his request was a legitimate exercise of his right of access under GDPR. TC counterclaimed for compensation of at least €1,000 for non-material damage resulting from Brillen Rottler's refusal to grant him access to his personal data.

The Local Court decided to stay proceedings and referred the following questions to the CJEU:

1. whether a first request for access to personal data made by the data subject under Article 12(5) of the GDPR may be regarded as "excessive"; and 
2. whether that data subject is entitled to compensation for the damage resulting from an infringement of the right of access.

The CJEU's Findings

The CJEU addressed three core issues:

1. Whether a first DSAR can be "excessive": The CJEU held that "excessive" in Article 12(5) of the GDPR encompasses both qualitative and quantitative characteristics. The CJEU did not rule out the possibility that a first DSAR may be excessive. Although repetitive character is cited in Article 12(5) as an indicator of excessiveness, the CJEU confirmed this is only an example and the characterisation of a request as excessive does not require a large number of requests by the same data subject. A controller may therefore refuse to act on a first request, provided it can demonstrate that the request was made not to verify the lawfulness of processing, but with an abusive intention, such as artificially creating the conditions for obtaining compensation. Relevant circumstances include the fact that personal data was provided voluntarily, the purpose of which data was provided, the time elapsed between provision and the access request, and the data subject's conduct. Publicly available information indicating that a data subject has systematically made access requests and compensation claims against other controllers may also be taken into consideration, provided it is assessed alongside other relevant material.
2. Compensation for infringement of the right of access: The CJEU held that Article 82(1) of the GDPR confers on the data subject a right to compensation for damage resulting from an infringement of the right of access under Article 15(1) of the GDPR. The provision makes no reference to "processing" and the right to compensation cannot therefore be limited to damage arising from the processing of personal data. As such, three cumulative conditions must be satisfied for a data subject to obtain compensation: (i) an infringement of GDPR, (ii) actual damage suffered, and (iii) a causal link between the two. Damage cannot be presumed merely because an infringement occurred, and a person seeking compensation must demonstrate the infringement actually caused him or her damage.
3. Non-material damage and the causal link: Non-material damage, including loss of control over personal data or uncertainty as to whether data has been processed, may in principle be compensable under Article 82(1). However, a data subject cannot receive compensation where his or her own conduct was the determining cause of the damage. This includes situations where the loss of control or uncertainty arose from the data subject's deliberate decision to submit personal data to a controller to manufacture a compensation claim.

Key Takeaways

The key takeaways from this ruling are as follows:

• Controllers can refuse a first DSAR in appropriate cases. The number of access requests made to a particular controller is not in itself determinative. A controller may refuse to act on a first request where it can establish the data subject acted with an abusive intention, having regard to all relevant circumstances.
• The burden of proof lies with the controller. The GDPR expressly requires the controller to bear the burden of demonstrating the excessive character of a request. The CJEU emphasised the concept of excessive requests must be interpreted restrictively. Controllers must therefore be in a position to evidence an abusive intention with clear and concrete material.
• Publicly available information can be relied upon. Where publicly available sources such as reports, blog articles or lawyers' newsletters indicate that a data subject has systematically submitted access requests and compensation claims to multiple controllers, that information will be relevant to establishing abusive intent, provided it is supported by other relevant material.
• Compensation can arise from a refusal to grant access, not just from unlawful processing. A data subject may be entitled to compensation under Article 82 where the infringement relates to the right of access under Article 15, even if the underlying processing itself complies with GDPR. Controllers should therefore be alert to the risk of compensation claims arising from procedural failures in handling DSARs, irrespective of whether their underlying processing activities are otherwise compliant.
• A data subject cannot recover compensation where their own conduct is the determining cause of the damage. Where the data subject's conduct is the root cause of the damage claimed, that conduct breaks the causal link required to establish a right to compensation under Article 82(1).

Conclusion

This ruling marks a significant development in the enforcement landscape for DSARs and will be particularly relevant to organisations that process personal data at scale and may be exposed to such requests.

It provides a firmer basis for resisting clearly bad-faith access requests. However, it is not an easy escape route: Controllers still bear the burden of demonstrating that a request is excessive, including evidencing abusive intent with clear supporting material – something that may be difficult in practice. As ever, the CJEU (and regulators) expect the concept of “excessive” to be interpreted restrictively. The decision also reaffirms key aspects of the GDPR compensation regime, offering helpful additional clarity.

The authors would like to thank Carmen Lim for her assistance with this piece.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.