In a significant judgment delivered on March 19, 2026, the Court of Justice of the European Union (CJEU) clarified that the right of access under Article 15 of the GDPR is not absolute. Controllers may refuse a data subject access request (DSAR) — even a first-time request — if it is deemed “excessive” or made with abusive intent, particularly when the primary goal appears to be manufacturing grounds for a compensation claim.
The ruling in Case C-526/24 (Brillen Rottler GmbH & Co. KG v. TC) provides important guidance for organizations facing strategically filed access requests and sets clearer boundaries on when data subjects can claim non-material damages under Article 82 GDPR.
The Case Background
An Austrian individual subscribed to the newsletter of Brillen Rottler, a small family-run optician based in Arnsberg, Germany. He provided his personal data via the company’s website registration form. Just thirteen days later, he submitted a formal request for access to his personal data under Article 15 GDPR.
Brillen Rottler refused the request, arguing it was abusive. The company pointed to publicly available information, including reports, blog articles, and lawyers’ newsletters, suggesting the individual systematically subscribed to company newsletters, immediately filed access requests, and then pursued compensation claims for alleged GDPR infringements.
The individual disputed the refusal and claimed at least €1,000 in compensation for non-material damage caused by the denial of his access request. The dispute reached the Local Court (Amtsgericht) in Arnsberg, Germany, which referred preliminary questions to the CJEU.
Key Findings of the CJEU
The Court ruled that a first request for access can, in certain circumstances, be considered “excessive” within the meaning of Article 12(5) GDPR. This provision allows controllers to either charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.
According to the CJEU, a request is abusive when the controller can demonstrate that — despite formally meeting the conditions of the GDPR — the data subject did not submit it to:
- Become aware of how their data is being processed, or
- Verify the lawfulness of that processing (in order to exercise other rights such as rectification, erasure, or objection).
Instead, the request was made with the abusive intention of artificially creating the conditions needed to claim compensation under Article 82 GDPR.
The Court emphasized that all circumstances of the case must be considered, including:
- The fact that the data subject provided their personal data voluntarily (without any obligation to do so).
- The purpose for which the data was provided.
- The short time between providing the data and filing the access request.
- The overall conduct and pattern of behavior of the data subject.
Publicly available information showing that the individual has filed numerous similar access requests followed by compensation claims against multiple controllers can be taken into account when assessing abusive intent. The burden of proof lies with the controller.
Compensation for GDPR Infringements
The CJEU confirmed that a data subject who suffers material or non-material damage as a result of a GDPR infringement — including a violation of the right of access — has the right to compensation from the controller under Article 82.
However, the Court set important limits:
- The data subject must actually demonstrate that they have suffered damage (mere infringement alone is not sufficient for compensation).
- Non-material damage can include loss of control over personal data or uncertainty about whether data has been processed lawfully.
- A data subject cannot receive compensation if their own abusive conduct is the determining cause of the damage claimed.
This means that if a refusal of access is justified because the request itself was abusive, the data subject will generally not be entitled to compensation for that refusal.
Implications for Organizations and Data Subjects
This judgment is welcome news for businesses, especially small and medium-sized enterprises that may be targeted by serial DSAR filers seeking to generate compensation claims. It confirms that data subject rights, while fundamental, are not unlimited and must be exercised in good faith.
For controllers, the ruling provides a practical tool to push back against potentially abusive requests. However, they must still carefully document the reasons for refusal and be prepared to defend their decision before national courts, as the assessment is highly fact-specific.
For privacy professionals and data protection officers, the decision reinforces the importance of maintaining clear records of DSAR handling and considering patterns of behavior when evaluating requests.
Data subjects retain strong protections under the GDPR, but the ruling draws a line against strategic or bad-faith use of access rights primarily aimed at financial gain rather than genuine exercise of data protection rights.
The case now returns to the Local Court in Arnsberg, which must apply the CJEU’s guidance to resolve the dispute. The judgment is binding on other national courts facing similar issues across the EU.
