CJEU: GDPR data access requests can be abusive

Communications Directorate Press and Information Unit curia.europa.eu PRESS RELEASE No 38/26 Luxembourg, 19 March 2026 Judgment of the Court in Case C-526/24 | Brillen Rottler A request for access to one’s own personal data may be considered abusive and refused if it is made for the sole purpose of subsequently claiming compensation for an alleged infringement of the GDPR An individual residing in Austria subscribed to the newsletter of the family run optician company Brillen Rottler, established in Arnsberg, Germany, by entering his personal data in the registration form available on the company’s website. Thirteen days later, he sent a request for access to Brillen Rottler under Article 15 of the General Data Protection Regulation (GDPR). According to that regulation, a data subject is to have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, the right of access to those data and the information relating thereto. Brillen Rottler refused the request, considering it to be abusive. According to Brillen Rottler, various reports, blog articles and lawyers’ newsletters show that that individual systematically subscribes to newsletters of various companies before submitting a request for access and then a claim for compensation. The individual, by contrast, maintained that his request for access was legitimate and claimed compensation of at least €1 000 from Brillen Rottler for the non-material damage that he claims to have suffered as a result of the refusal of that request for access. The Local Court, Arnsberg, hearing the dispute between Brillen Rottler and that individual concerning the legitimacy of the request for access and the claim for compensation, asked the Court of Justice whether a first request for access to personal data made by the data subject may be regarded as ‘excessive’ and whether that data subject is entitled to compensation for the damage resulting from an infringement of the right of access to those data. The Court replies that a first request for access may, in certain circumstances, already be regarded as ‘excessive’ within the meaning of the GDPR and may therefore be abusive. That is the case where the controller demonstrates that, despite formal observance of the conditions laid down by the GDPR for making a request for access, that request was made not for the purpose of being aware of the processing of the data and verifying the lawfulness of that processing, but with the intention, which may be characterised as ‘abusive’, of artificially creating the conditions laid down for obtaining compensation under the GDPR. The fact that, according to publicly available information, the data subject has made a large number of requests for access to his or her personal data, followed by claims for compensation to various controllers, may be taken into consideration for the purpose of establishing the existence of such an abusive intention. In addition, a person who has suffered material or non-material damage as a result of an infringement of the GDPR, including an infringement of the right of access to his or her personal data, has the right to receive compensation from the controller for such damage. The Court states, however, that, in order to obtain such compensation, the data subject must demonstrate, inter alia, that he or she has actually suffered such damage. Furthermore, the data subject cannot receive compensation for damage under the GDPR if his or her own conduct is the determining cause of the damage.

Communications Directorate Press and Information Unit curia.europa.eu Stay Connected! It is for the Local Court, Arnsberg, to resolve the dispute before it, taking into account the answers given by the Court of Justice. NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of EU law or the validity of an EU act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised. Unofficial document for media use, not binding on the Court of Justice. The full text and, as the case may be, an abstract of the judgment is published on the CURIA website on the day of delivery. Press contact: Jacques René Zammit ✆ (+352) 4303 3355. Images of the delivery of the judgment are available on ‘Europe by Satellite’ ✆ (+32) 2 2964106. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Article 15. Where requests for access to personal data are excessive, the controller may, in accordance with Article 12(5) of the GDPR, either charge a reasonable fee taking into account the administrative costs incurred in acting on such requests, or refuse to act on such requests. Thereby enabling the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure or right to restriction of processing, and his or her right to object and right of action where he or she suffers damage. In that regard, it is necessary to take into account all the circumstances of the case, in particular the fact that the data subject provided personal data without being obliged to do so, the aim of providing those data, the time that elapsed between the provision of those data and the request for access, and the conduct of the data subject. See Article 82 of the GDPR. The Court further specifies that the non-material damage suffered by the data subject encompasses, in principle, the loss of control over his or her personal data or his or her uncertainty as to whether his or her data have been processed.