DSARs under scrutiny: CJEU clarifies abuse and non-material damage in Brillen Rottler

Partnerblog

The GDPR gives individuals strong rights to access their personal data. But those rights are not absolute: organisations may refuse data subject access requests that are manifestly unfounded or excessive. On 19 March 2026, the Court of Justice of the EU (« CJEU« ) clarified in the Brillen Rottler judgement (C-526/24).

The CJEU addressed two key questions:

  • Can a first DSAR already be considered excessive?
  • What are the limits of compensation claims for non‑material damage in this context?
Don’t miss a thing, subscribe today!

Stay up to date by subscribing to the latest Technology and Data insights from the experts at Fieldfisher.Subscribe now

Context

An Austrian resident (« TC« ) subscribed to the newsletter of Brillen Rottler, a German optician. Thirteen days later, TC submitted a DSAR.

Brillen Rottler refused the request, considering it abusive under Article 12(5) GDPR, and asked TC to withdraw it. TC maintained its request and added a claim for at least 1,000 EUR in compensation for non‑material damages.

Subsequently, Brillen Rottler sought before the German courts a declaration that TC is not entitled to any compensation. To support its claims, Brillen Rottler relied on publicly available sources suggesting that TC systematically submits access requests with the aim of obtaining compensation for an alleged infringement, which he provoked in the first place. These sources show that TC subscribes to newsletters, makes a request for access and lastly submits a claim for compensation.

A first DSAR can be regarded as an excessive request

The CJEU held that a first DSAR may, in certain cases, be regarded as « excessive » under Article 12(5) GDPR and may therefore be refused.

More particularly, the CJEU explained that an “excessive request” is not limited to repetitive requests. Although repetition may be an indication, the CJEU stressed that excessiveness is also a qualitative assessment considering the specific circumstances of the request. In its reasoning, the CJEU relied on the general EU law principle prohibiting the abuse of rights.

At the same time, the CJEU underlined that a rejection of a DSAR is an exception to the obligation to facilitate the exercise of DSARs and must therefore be interpreted restrictively. The burden of proof in this instance lies with the controller.

To establish that a first DSAR is excessive, the controller must demonstrate abusive conduct, which requires two cumulative elements:

  • An objective element: although the conditions of a DSAR are formally met, the request does not serve the purpose of the right of access, namely enabling the data subject to be aware of and verify the lawfulness of the processing; and
  • A subjective element: the request is made with abusive intent, namely for a purpose other than being aware of the processing of personal data and verifying the lawfulness of that processing, for example with the aim of artificially creating the conditions for a compensation claim.

In practice, several factors may help assess whether a request is abusive. These include the time elapsed between the provision of data and the DSAR, whether the data subject voluntarily provided data or evidence of a broader pattern of behaviour (such as systematically subscribing to services only to request access and seek compensation).

In short, a first DSAR is not immune from refusal, but only where the controller demonstrates that the right of access is being exercised abusively rather than in line with its intended purpose.

In addition, the CJEU held that the right to compensation for non-material damage under Article 82 GDPR may apply to an infringement of the GDPR, even where that infringement does not itself involve the processing of personal data.

However, this wide scope does not translate into automatic liability. In this respect, the CJEU recalls its prior case-law that compensation is subject to the cumulative fulfilment of three conditions, namely an infringement of the GDPR, actual damage suffered and a causal link between the two.

While such damage is not limited to a certain degree of seriousness, the data subject must nonetheless demonstrate that it has actually suffered damage and that the consequences of the infringement differ from the mere infringement of the GDPR. A loss of control over personal data or uncertainty as to whether personal data have been processed may, for example, constitute non-material damage, but it cannot be presumed and must be proven.

Finally, the CJEU held that the causal link may in certain cases be broken by the data subject’s own conduct, provided that such conduct is the determining cause of the damage. In case of an alleged loss of control, that causal link may be broken because of the data subject’s decision to submit data to a controller with the aim of artificially creating the conditions for a damage claim.

Practical impact on DSARs and compensation claims

The Brillen Rottler judgment does not materially alter the legal framework governing DSARs. What is new is that these principles are now explicitly confirmed in the context of a first DSAR.

First, the judgment confirms that a first DSAR is not immune from refusal under Article 12(5) GDPR. The CJEU clarifies that excessiveness is not limited to repetition, but requires a qualitative assessment and may, in exceptional cases, lead to a request being considered excessive from the outset where abusive intent is demonstrated. This provides legal clarity in scenarios involving systematic or strategic use of DSARs, without expanding the scope of the exception.

Second, the judgment confirms the relatively high threshold for relying on abuse of rights. Refusal remains exceptional, must be assessed in light of all the circumstances, and the burden of proof lies with the controller. Controllers must therefore be able to substantiate, on a case-specific basis, both that the request does not serve the purpose of the right of access and that it was submitted with an abusive intention. Publicly available information may contribute to this assessment, but only as part of broader evidence.

Last, the judgement confirms that non-material damage may be established for infringements of the GDPR, even where the infringement does not itself consist of processing of personal data. However, compensation will only be awarded where the data subject can show actual damage going beyond the infringement as such and a causal link between an infringement and such damage, provided that the causal link is not broken by the data subject’s own conduct.

Taken together, the practical relevance of the Brillen Rottler judgement lies in confirming how existing principles apply at an early stage, and in underlining the importance of careful, well-documented DSAR decision-making, particularly in case of refusals. Companies should review their DSAR workflows and ensure that they allow for a documented, case-by-case assessment of potential abuse, while preserving the exceptional nature of refusals.

Against that background, the European Commission’s proposed GDPR Omnibus package seeks to further clarify Article 12(5) GDPR by expressly addressing abusive requests. The proposal builds on the existing concepts of “manifestly unfounded” and “excessive” requests and indicates that requests pursued for purposes unrelated to the protection of personal data as such may qualify as abusive.

Do not hesitate to reach out to Nathalie Poupaert and Irem Güzel if you wish to discuss the implications of the Brillen Rottler judgement or the proposed GDPR Omnibus package on your companies’ DSAR workflows.

With thanks to Lelia Franck and Jitse Nijs who contributed to the preparation of this article.

Authors:

Nathalie Poupaert and Irem Guzel

Partager