In its judgment of 19 March 2026 in Case C-526/24, the Court of Justice held that even a first request for access to personal data may be refused as abusive where it is submitted by the data subject solely for the purpose of pursuing compensation. The ruling places an important limit on strategic access requests, while preserving the substance of the right to data protection.
On 19 March, the Court of Justice of the European Union clarified the limits of the right of access under the GDPR in cases where that right is used for instrumental purposes. The case arose from a request for access submitted by a customer to a German optical retailer, which the controller refused on the ground that it was excessive and motivated by profit-seeking intentions. The reference for a preliminary ruling in Case C-526/24, Brillen Rottler GmbH & Co. KG v TC, was made by a German court, which asked the Court three questions: first, whether a request for access may be regarded as “manifestly unfounded or excessive” even when it is the first request, given that Article 12(5) refers in particular to requests that are repetitive; second, whether that provision allows the controller to refuse access where the data subject submits the request with the intention of creating the basis for future damages claims against the controller; and third, whether publicly available information, such as material showing that the data subject systematically brings compensation claims in similar cases, may be taken into account in assessing whether refusal is justified.
The facts of the case
The case concerned an Austrian citizen who had subscribed to the online newsletter of Brillen Rottler, a company based in Arnsberg, Germany, by entering his personal data in the registration form. Only 13 days later, he exercised his right of access in relation to the data held by the company. Brillen Rottler rejected the request, describing it as abusive. It relied on publicly available information, including press articles and legal blogs, suggesting that the requester repeatedly subscribes to newsletters and then systematically exercises the right of access in order to seek compensation for alleged GDPR infringements. The claimant disputed that assessment and sought at least €1,000 in damages for non-material harm allegedly caused by the refusal. The German court, which had to rule on the lawfulness of the refusal, asked the Court to interpret Article 12(5) GDPR in light of such repeated conduct, with particular emphasis on whether even a first request may be manifestly unfounded or excessive.
Article 12(5) GDPR and the abuse of the right of access
The dispute therefore turned on the interpretation of Article 12(5) GDPR, which permits the controller to refuse a request that is manifestly unfounded or excessive. That exception was intended to screen out requests that are plainly instrumental or disproportionate. According to the Court, it is not necessary for the data subject to have made previous requests before the one at issue. What matters is the overall context and the purpose underlying the request. If the controller can show that the request was not made in order to obtain access to personal data, but rather with the abusive aim of laying the groundwork for a damages claim, the request may be refused as excessive. In that sense, the GDPR implicitly recognises a principle of abuse of the right of access: where the request is not directed to the genuine protection of personal data, but instead to the artificial creation of a prejudice from which compensation may later be claimed, the right is being used for a purpose foreign to its function.
What lies behind abuses of the right of access?
Why do such abuses occur? The judgment also sheds light on the opportunistic motives that may drive this conduct. In Brillen Rottler, the data subject appears to have been seeking an unjustified financial gain. The strategy was to provoke a formal refusal and then bring proceedings against the company for non-material damages. This modus operandi, which is also supported by publicly available information, is designed to produce monetary compensation rather than to vindicate a genuine data protection interest. In short, those who abuse the right of access attempt to turn a free compliance mechanism into a revenue-generating device. The Court nevertheless recalled that, under Article 82 GDPR, compensation is available only where the data subject proves actual material or non-material damage resulting from a violation of the Regulation.
Conclusion
As several commentators have already noted, the Brillen Rottler judgment marks an important limit on the instrumental use of the right of access under the GDPR. The Court held that even a first request for access may, in certain circumstances, be regarded as excessive and therefore refused. This pragmatic solution helps prevent systemic abuse of the right, which would otherwise distort the balance struck by the data protection framework. The decision is significant because it implicitly acknowledges the principle of abuse of rights, traditionally rooted in civil law, within the GDPR context. The broader effect is to reinforce the coherence of the system: genuine data subjects retain effective tools for the protection of their rights, while opportunistic attempts to exploit those tools for purely compensatory purposes are curtailed.