Updates

April 15, 2026

Court of Justice of the European Union Rules That a First Data Subject Access Request Can Be Refused as Excessive

Case C-526/24 Brillen Rottler GmbH & Co. KG v TC [2026]

Authors:

At a Glance

Brillen Rottler is a meaningful development for organisations that handle high volumes of DSARs and have faced what appears to be systematic, compensation-driven activity.
Organisations should use this judgment as an opportunity to review and strengthen their DSAR workflows, rather than as an invitation to deny requests that are merely challenging.

The Court of Justice of the European Union (CJEU or Court) has confirmed that a controller may refuse a data subject's very first access request under Article 15 GDPR as "excessive" where it can demonstrate, to a high evidential standard, that the request was made with abusive intent — for example in order to bring a compensation claim rather than to exercise a genuine right. The ruling also clarifies that compensation under Article 82 GDPR is available for breaches of the right of access even absent any unlawful processing, but that the causal link to damages can be broken by the data subject's own conduct.

This judgment is binding across the EU, but is only treated as persuasive in the English courts. Companies with operations in both jurisdictions should assess their data subject access request (DSAR) policies separately for each.

Background

In March 2023, TC, an individual resident in Austria, subscribed to the newsletter of Brillen Rottler, a family-run opticians practice based in Germany. He entered his personal data into the newsletter registration form on the company's website and consented to its processing. Thirteen days later, he submitted a DSAR under Article 15 GDPR, which grants data subjects the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data.

Brillen Rottler refused the request, arguing it was abusive. In support, the company pointed to publicly available reports, blog articles, and legal newsletters indicating that TC followed a systematic pattern: subscribe to a company's newsletter, submit a DSAR, then claim compensation when the controller refused to comply. TC disputed this and claimed at least €1,000 in non-material damages under Article 82 GDPR for the refusal. Once proceedings were brought, the German court referred a series of questions to the CJEU.

Issue 1: Can a First DSAR Be Refused as "Excessive"?

The CJEU confirmed that a data subject's first access request may be refused as "excessive" within the meaning of Article 12(5) GDPR, provided the controller can demonstrate abusive intent. The Court reasoned that reference to "repetitive" requests in Article 12(5) is illustrative only, not a prerequisite. The decisive question is not how many requests have been made, but whether the request was made with an abusive purpose. The Court anchored this in the general EU law principle that EU rights cannot be invoked for abusive or fraudulent ends.

The Court was clear, however, that this exception must be interpreted restrictively and applies only exceptionally. The bar for controllers is deliberately high.

The Two-Part Test for Abusive Intent

To establish abusive intent, the controller must satisfy both limbs of a structured test:

Objective element: Despite the request formally satisfying the conditions of Article 15, the purpose of that provision (i.e., enabling the data subject to seek confirmation of the details of any processing of their personal data and verify the lawfulness of such processing) has not in fact been achieved.
Subjective element: The data subject made the request not for the purpose of finding out about any processing of their data in order to obtain protection for their rights under the GDPR, but in fact for some other abusive intention (for example, with the intention of obtaining compensation from the controller by artificially creating the conditions set out in the GDPR to give them a right to such compensation).

Critically, the Court required the controller to demonstrate abusive intent "unequivocally", a demanding standard that goes beyond mere suspicion or circumstantial inference. The Court also emphasised that the burden of proof for demonstrating abusive intent lies with the controller.

Relevant Factors

In assessing whether abusive intent exists, the Court identified the following relevant (but non-exhaustive) circumstances:

Whether personal data was provided on a voluntary basis, without any obligation to do so
The stated or objectively ascertainable purpose for which the data subject provided the data
The time elapsed between the provision of data and the submission of the data
The overall conduct and history of the data subject, including any publicly available evidence of a pattern of systematic requests followed by compensation claims to multiple controllers

On that last point, the Court confirmed that publicly available evidence such as reports, blogs, and legal newsletters documenting a data subject's pattern of behaviour may be taken into account, but only if corroborated by other relevant material.

Issue 2: Compensation under Article 82 GDPR

Compensation Is Available for Breaches of the Right of Access

The CJEU confirmed that Article 82(1) GDPR confers a right to compensation for damage resulting from a breach of the right of access under Article 15, even where that breach does not involve any act of unlawful data processing. Article 82(1) refers broadly to "an infringement of this Regulation" and is not restricted to processing-related violations. This is significant in that wrongful refusal to comply with a request, including one that seeks to rely on the Brillen Rottler defence without sufficient evidence, is independently exposed to a damages claim.

Conditions for Compensation

To obtain compensation under Article 82(1), the data subject must establish three cumulative conditions:

An infringement of the GDPR
The existence of material or non-material damage actually suffered
A causal link between the infringement and the damage

The data subject must therefore demonstrate actual damage distinct from the mere fact that a breach occurred. Loss of control over personal data and uncertainty as to whether data has been processed can in principle constitute non-material damage, but this must be proven on the specific facts.

Causation

The Court introduced an important causation defence for controllers. The causal link between a GDPR infringement and alleged damage may be broken by the data subject's own conduct, provided that the data subject's conduct is the determining cause of the damage. For example, where a data subject has deliberately shared personal data with a controller for the sole purpose of manufacturing a compensation claim (as alleged in the Brillen Rottler case), rather than for any genuine engagement, the causal chain between the controller's conduct and any alleged harm is severed, effectively foreclosing the serial litigant model.

The Digital Omnibus Regulation: Legislative Context

The Brillen Rottler judgment arrives during the EU legislative process for the European Commission's proposed Digital Omnibus Regulation. The draft proposal would amend the GDPR to expressly permit refusal of DSARs that abuse GDPR rights for purposes other than the protection of personal data. Recital 35 of the draft proposes that the evidential burden on controllers should be reduced to a "reasonable" standard, on the basis that abusive conduct is outside the controller's sphere of influence. This creates a tension with the CJEU's approach, which appears to impose a restrictive, evidence-heavy standard. Whether the text of the Omnibus Regulation will be amended to reflect the decision is not yet clear.

Applicability in the UK

The judgment is binding across EU member states but does not bind the English courts or the Information Commissioner's Office (ICO); although they may treat it as persuasive, particularly where the UK GDPR provisions in question are materially identical to their EU equivalent. The ICO's existing guidance on Article 12(5) continues to govern the UK position. Companies should assess their DSAR policies separately for EU and UK operations and should not assume that a defensible refusal in Germany will be similarly accepted by the ICO or an English court.

Practical Steps for Controllers

Brillen Rottler is a meaningful development for organisations that handle high volumes of DSARs and have faced what appears to be systematic, compensation-driven activity. It confirms that the right of access, like all EU rights, cannot be exercised abusively.

The threshold for establishing abusive intent is high, however, and the exception will only apply in limited circumstances. Organisations should use this judgment as an opportunity to review and strengthen their DSAR workflows, rather than as an invitation to deny requests that are merely challenging. Some practical steps for businesses include:

Updating DSAR intake processes
Documenting refusal decisions rigorously
Reviewing policies separately for the UK and EU

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Meet the Authors

Huw Beverley-Smith
Partner

London

+44 (0) 20 7450 4551

huw.beverley-smith@faegredrinker.com
Charlotte H N Perowne
Associate

London

+44 (0) 20 7450 4532

charlotte.perowne@faegredrinker.com
James Ford
Trainee Solicitor

London

+44 (0) 20 7450 4539

james.ford@faegredrinker.com