Article 15 of the GDPR grants individuals the right to make a data subject access request (DSAR) to obtain confirmation from a controller whether their personal data is being processed and, if so, access to that data along with various supplementary information. However, the controller may refuse to act on the DSAR if the request is “manifestly unfounded” or “excessive”.
On 19 March 2026, the Court of Justice of the EU (CJEU) ruled in Brillen Rottler (Case C‑526/24) that even a first DSAR may be refused as “excessive” where the controller demonstrates it was made with abusive intention.
The CJEU also clarified the scope of compensation available to data subjects, confirming that a violation of the right of access can give rise to damages, but not where the data subject’s own conduct is the determining cause of the damage.
Background
The case concerned an individual residing in Austria who subscribed to the newsletter of Brillen Rottler, a family-run optician company in Germany. The individual submitted a DSAR shortly after. Brillen Rottler refused the DSAR, pointing to publicly available reports suggesting that the individual followed this pattern systematically with multiple controllers, claiming compensation when controllers refused to comply. When the individual maintained his request and added a damages claim for €1,000, Brillen Rottler brought proceedings before a German court of first instance, seeking a declaration that no compensation was owed. The individual counterclaimed and the court referred eight questions to the CJEU.
A first DSAR can be “excessive”
The first set of preliminary questions asked whether a data subject’s first DSAR can be considered “excessive”, and if so, under what circumstances. The CJEU held that it can. The GDPR mentions repetitive requests as one example of “excessive” DSARs, but the CJEU confirmed that this is merely illustrative, not a requirement. Applying the general EU law principle prohibiting abuse of rights, it held that the decisive question is not how many DSARs the data subject has made, but whether they were made with abusive intention.
The CJEU stressed that this exception must be interpreted restrictively, that the threshold for qualifying a first DSAR as excessive must be high, and that the burden of proof lies on the controller.
Proving abusive intention
The CJEU set out a two-part test to establish abusive intention.
First, the controller must demonstrate that the purpose of Article 15 GDPR — enabling the data subject to be aware of the processing and to verify its lawfulness — was not in fact achieved. The CJEU stressed that this can be the case even where a DSAR formally complies with the conditions of Article 15 GDPR.
Second, the controller must establish that the data subject made the request with the intention to obtain an advantage under the GDPR by artificially creating the conditions for obtaining it.
To assess these elements, the CJEU identified several relevant circumstances: whether the data subject provided data without being obliged to do so, the purpose of providing the data, the time elapsed between data provision and the DSAR, and the data subject’s overall conduct. The CJEU confirmed that publicly available evidence of a pattern of systematic DSARs may also be taken into account, provided it is supported by other elements.
Damages for violation of the right of access
In a separate set of preliminary questions, the referring court asked whether the GDPR confers a right to compensation for a violation of the right of access, and what type of damage qualifies.
The CJEU confirmed that the right to compensation covers damages resulting from a violation of the right of access, even where the infringement relied on does not itself consist of unlawful processing of personal data. It reiterated the conditions already clarified in earlier case law: the data subject must prove a GDPR violation, actual damage, and a causal link; a mere allegation of fear does not suffice.
The CJEU also went further on causation. It noted that the causal link between the alleged infringement and the alleged damage may be broken by the conduct of the data subject (and thus no compensation owed by the controller), provided that the data subject's conduct proves to be the determining cause of the damage.
Practical implications
The ruling gives controllers more room to refuse DSARs not genuinely aimed at verifying the lawfulness of processing, though the threshold for proving abusive intention remains high and is for the controller to demonstrate.
Controllers may wish to consider updating their DSAR response workflows to include an early-stage abuse-of-rights assessment and to document red flags at the point of receipt. This may include the timing between data submission and the access request, whether the data was provided voluntarily, and the data subject's overall conduct.
The ruling also comes during the legislative process for the Commission’s Omnibus Proposal, which (as explained in our previous blog post) would amend the GDPR to add an express ground for refusing DSARs that abuse GDPR rights for purposes other than the protection of personal data. The EDPB and EDPS, in their Joint Opinion on the Proposal, welcomed the attempt at clarification but objected to that formulation and recommended linking the test instead to abusive intention. This position aligns closely with the test set out by the CJEU in this ruling. Whether the final Omnibus text retains the broader formulation or narrows it to require abusive intention remains to be seen.