When Access Requests Become Abusive: Key Takeaways from C-526/24 Brillen Rottler

The Court of Justice of the European Union (CJEU) has clarified in Brillen Rottler (C-526/24) that, in exceptional circumstances, even a first data subject access request (DSAR) may be refused as “manifestly unfounded or excessive” under Article 12 para. 5 GDPR.

This is an important development. However, the judgment should not be misunderstood. The Court sets a strict and narrowly defined threshold, which will be difficult to meet in practice.

The Case

The case concerned an individual who subscribed to the optician Brillen Rottler’s newsletter and, less than two weeks later, submitted an access request under Article 15 GDPR. The company refused the request, arguing that it formed part of a broader pattern. According to publicly available information, the individual had allegedly followed a strategy of subscribing to services, submitting access requests, and subsequently pursuing compensation claims.

The individual challenged the refusal and sought compensation for non-material damage.

When a First Request Can Be Excessive

The key clarification from the Court is that a request does not need to be repetitive to be considered excessive. Even a first request may fall within Article 12 para. 5 GDPR if it is abusive.

To establish this, the Court relies on its established doctrine of abuse of rights, requiring two elements. First, an objective element: although the request formally complies with GDPR requirements, it does not serve the purpose of the right of access. Second, a subjective element: the data subject intends to obtain an advantage by artificially creating the conditions for it.

As the Court puts it,

“proof of an abusive practice requires (i) a combination of objective circumstances … and … (ii) a subjective element consisting in the intention of the data subject to obtain an advantage … by artificially creating the conditions”

In practical terms, this means that the controller must demonstrate that the request was not made to understand or verify the lawfulness of processing, but for another purpose, such as creating the basis for a compensation claim.

At the same time, the Court makes clear that this is not an easy argument to rely on. The evidentiary threshold is particularly high. The controller must demonstrate unequivocally, and in light of all relevant circumstances, that the request was abusive. Formal compliance with Article 15 GDPR does not exclude abuse, but mere suspicion is clearly insufficient.

The Court also indicates that elements such as timing, the context in which the data were provided, and the broader conduct of the data subject may be relevant. Public information showing a pattern of similar requests and compensation claims may also be taken into account, but only if supported by additional evidence.

In practice, this significantly limits the situations in which a refusal will be justified. Most organizations will not have sufficient visibility into a data subject’s broader behavior to meet this standard.

Compensation Requires Actual Damage and a Causal Link

The judgment is equally important on compensation under Article 82 GDPR.  The Court confirms that a GDPR infringement does not automatically give rise to compensation. The data subject must demonstrate that they have actually suffered material or non-material damage, and that there is a causal link between that damage and the infringement.

This is particularly relevant in scenarios involving potentially abusive requests. The Court clarifies that the causal link may be broken where the damage is the result of the data subject’s own conduct. This may be the case, for example, where the individual voluntarily provides personal data with the aim of creating the conditions for a claim.

In such situations, alleged loss of control or uncertainty regarding the processing cannot, in itself, justify compensation.

Lessons Learned

From a practical perspective, the message for organizations is clear. While the judgment confirms that abusive access requests can, in principle, be refused even at the first request stage, this remains a strictly limited safeguard. Controllers now have a precedent that may offer protection in specific cases, but it should not be over-relied upon.

It is important not to interpret this judgment as a general basis for refusing requests. The application of this exception requires a careful assessment against the two-layer test described above.

The default position continues to be full compliance with Article 15 GDPR. Any decision to refuse a request must be carefully assessed, supported by clear and objective evidence, and properly documented.

Given the high evidentiary threshold and the litigation risk associated with both refusal and compensation claims, these situations require a particularly careful legal assessment. Involving the DPO or privacy counsel at an early stage can be critical to ensure that decisions are defensible, proportionate, and aligned with current case law.