ECJ: Unreasonable requests for information may be rejected: “Brillen Rottler” clarifies the limits of Articles 15 and 82 of the GDPR

In its judgment of March 19, 2026 (Case C-526/24, Brillen Rottler), the CJEU clarified that even an initial request for access may, under certain circumstances, be classified as abusive and rejected. However, this requires the controller to demonstrate that, although the request formally satisfies the requirements of the GDPR, it was not made for the purpose of exercising the data subject’s rights of transparency and control, but solely with the intention of artificially creating the conditions for a subsequent claim for damages under Article 82 GDPR.

The decision addresses two key practical issues: First, under what conditions data controllers may reject a request for access based on abuse or excessiveness. Second, whether and under what conditions a claim for damages under Article 82 of the GDPR may arise from a refusal or insufficient provision of information. Thus, the judgment concerns the practical handling of strategically motivated requests from data subjects as well as the scope of liability risk under the GDPR.

Facts

The proceedings were based on a legal dispute between the optical company Brillen Rottler and a private individual. In March 2023, the individual had subscribed to a newsletter via the company’s website and thereby consented to the processing of her personal data. Thirteen days later, the individual made a request for access under Article 15 GDPR to the company. Brillen Rottler rejected the request within the prescribed time limit, citing the abusive or excessive nature of the request. Subsequently, the data subject not only pursued the right of access but also asserted a claim for non-material damage under Article 82 of the GDPR in the amount of 1,000 euros.

Brillen Rottler justified its position by arguing that publicly available sources showed that the defendant systematically provoked alleged data protection infringements to base claims for damages on them. The Arnsberg Local Court stayed the proceedings and referred several questions to the CJEU for a preliminary ruling. The focus was particularly on whether a first-time request for access could already constitute an abuse of rights, what significance should be attached to the data subject’s motivation to seek damages, and whether Article 82 of the GDPR necessarily requires the processing of personal data.

The Core Issues of the Case

The CJEU essentially had to rule on the following points: First, whether an initial request for access can under any circumstances be classified as excessive or abusive within the meaning of Article 12(5) of the GDPR. Second, whether the data subject’s intention to use the request for access to prepare a subsequent claim for damages can justify a refusal. Third, whether publicly available information regarding a corresponding pattern of behaviour by the data subject is sufficient for this purpose. Fourth, whether a violation of the right of access itself can give rise to a claim for damages under Article 82 of the GDPR and whether “processing” within the meaning of Article 4(2) of the GDPR is required for this. Finally, the question arose as to whether a mere loss of control or uncertainty regarding the handling of personal data already constitutes non-material damage.

Key Findings of the CJEU

On the defense of abuse of rights

The CJEU clarifies that even an initial request for access may, in certain circumstances, be regarded as “excessive” within the meaning of Article 12(5) GDPR and may therefore be abusive. What is decisive in this regard is not merely the formal exercise of the right of access, but the purpose for which that right is exercised. A request may be refused where the controller demonstrates that it was not made in order to obtain awareness of the processing of personal data and to verify its lawfulness, but solely in order to artificially create the conditions for a claim for damages.

On the motivation of the data subject

The Court places particular emphasis on the objective pursued by the access request. The mere fact that a data subject intends to assert a claim for damages at a later stage is not, in itself, sufficient. What is decisive, rather, is whether the right of access is being used for a purpose contrary to its function. According to the judgment, a request is abusive where it is not aimed at reviewing the data processing but serves solely to generate a claim scenario.

Regarding publicly available information about a pattern of conduct

The CJEU acknowledges that publicly available information indicating a systematic course of conduct on the part of the data subject may be taken into account when assessing whether a request is abusive. In this context, it may be relevant whether the data subject has, in a manner apparent to the public, repeatedly submitted requests for access to various controllers and subsequently linked such requests to claims for damages. While such circumstances may not necessarily be sufficient in isolation, they may constitute a significant indication of an abusive intention.

Regarding Art. 82 GDPR

At the same time, the Court confirms that a claim for damages under Article 82 GDPR is not limited to classic cases of unlawful data processing. In principle, an infringement of the right of access may also give rise to material or non-material damage and thus found a claim under Article 82 GDPR. In doing so, the CJEU underlines that the procedural safeguards provided for by the GDPR may also be relevant from a liability perspective.

On non-material damage

The Court also makes it equally clear that Article 82 GDPR does not provide for automatic compensation for every infringement of the law. The data subject must demonstrate that he or she has in fact suffered material or non-material damage. In addition, a claim is excluded where the data subject’s own conduct constitutes the decisive cause of the alleged damage. This is significant in practice, because it means that neither the mere rejection of an access request nor the mere invocation of a loss of control will automatically give rise to a claim for damages.

Implications for practice

The decision is relevant for companies in two key respects. On the one hand, it strengthens controllers in dealing with clearly strategically motivated access requests. The CJEU recognises that data subject rights cannot be instrumentalised independently of their protective purpose. On the other hand, the Court does not lower the threshold for refusing such requests but instead makes refusal contingent upon substantiated proof of abusive intent. A hasty reliance on Article 12(5) GDPR therefore remains risky.

The judgment is equally significant from a liability perspective. Companies cannot assume that infringements of the right of access fall outside the scope of Article 82 GDPR. Anyone who wrongfully refuses or inadequately responds to an access request remains exposed to civil liability. That risk is, however, limited by the requirement that the data subject must plead and prove actual damage, and by the fact that the data subject’s own conduct may exclude liability where it constitutes the decisive cause of the alleged damage.

What companies should do now

First, companies should review their processes for handling access requests to ensure that atypical or strategically motivated requests can be properly identified and documented. Following the judgment, the defence of abuse is available, but it requires a sufficiently robust factual basis.

Second, publicly available indications of a systematic course of conduct on the part of an applicant should not be relied upon in a blanket manner, but should instead be assessed in a structured way in light of the specific circumstances of the individual case. This requires reliable documentation showing why the request in question does not serve the purpose of reviewing the data processing, but rather the artificial preparation of claims for damages.

Third, controllers should in future align refusals of access requests more closely with their liability assessment under Article 82 GDPR. This is because an infringement of the right of access may, in principle, also be relevant for damages purposes.

Fourth, it is advisable to refine internal escalation and approval processes for cases involving suspected abuse. Decisions to refuse access in whole or in part should be legally reviewed, clearly documented, and prepared in a manner capable of withstanding scrutiny in subsequent litigation.

Conclusion

With Brillen Rottler, the CJEU brings the interests of data subjects and controllers into a new balance. The Court continues to protect the right of access as a central transparency instrument of the GDPR, while at the same time making clear that it must not be misused to artificially generate claims for damages. For companies, this is an important signal: abusive requests can be resisted, but only on the basis of a carefully established and well-documented case. At the same time, the judgment makes equally clear that errors in handling access requests may continue to have liability consequences.