Case C-526/24 Brillen Rottler discusses a hot topic in privacy land (especially if you are following the Digital Omnibus package), namely when a GDPR access request crosses the line into abuse, and what controllers can do about it.
The dispute arose after an individual subscribed to an optician’s newsletter, then shortly afterwards submitted an Article 15 access request. The controller refused to act, arguing that the request formed part of an abusive strategy, deliberately triggering GDPR infringements in order to claim compensation. The German court asked the CJEU to clarify how far controllers may go in pushing back against such behaviour, and whether a refusal to comply with Article 15 can support a claim for damages.
Context
Article 15 GDPR: right of access
Article 15 GDPR gives the data subject the right to know whether the controller processes their personal data and, if so, to obtain access to that data and information about how the data is being processed. In Brillen Rottler, Article 15 is the starting point of the whole dispute. The data subject subscribed to the company’s newsletter and, 13 days later, submitted an access request.
The controller deemed this excessive and refused to comply. This case is not about whether the right of access exists, but if, in this concrete setting, the controller could lawfully refuse to act on the request because it considered the request abusive or excessive.
Article 12(5) GDPR: manifestly unfounded or excessive requests
Article 12(5) GDPR is the controller’s main defence in this case. It says that, in principle, information and actions taken under Articles 15 to 22 must be provided free of charge. But where a request is manifestly unfounded or excessive, in particular because it is repetitive, the controller may either charge a reasonable fee or refuse to act. The burden of proof lies with the controller.
The controller refused the access request on the basis that it considered the request abusive. According to the controller, the data subject was deliberately subscribing to services and then filing access requests with the aim of triggering GDPR infringements and claiming damages. Even though this was the data subject’s first request, the controller still deemed it excessive.
Which raises an important question: does the data subject’s intent matter to determine if a request is excessive?
Article 82 GDPR: compensation
Article 82 GDPR establishes the right to compensation for damage resulting from an infringement of the GDPR. Anyone who suffers material or non-material damage as a result has the right to receive compensation from the controller or processor responsible.
The provision has become one of the main drivers of private GDPR enforcement. Individuals increasingly combine data subject requests with claims for damages. Over the last few years, the CJEU has clarified several aspects of this provision, including the conditions for non-material damage and the requirement of a causal link between the infringement and the damage.
In the present case, the individual not only maintained the access request but also claimed compensation of EUR 1,000 for non-material damage, arguing that the company’s refusal to comply with Article 15 infringed the GDPR and that this infringement caused harm.
Relevance
While the basis of the case is simple, the implications reach much further. Since data subjects are increasingly (in both good and bad faith) exercising their rights (for example in an employment context, consumer disputes etc.) controllers are often unsure when exactly a request can be denied because it is excessive.
Building on this, GDPR compensation claims are also on the rise. Compensation culture varies across Member States, but the legal uncertainty affects controllers and data subjects everywhere. More clarity on this topic would be beneficial for both parties.
CJEU decision
The Court clarified that Article 12(5) GDPR is not limited to repeat requests. Although the provision mentions “repeated” requests as an example, this is illustrative only, meaning that a controller can treat even a first-time access request as excessive, provided the right conditions are met.
The right of access is not absolute: Recital 4 GDPR makes clear that it must be balanced against other fundamental rights, in line with the principle of proportionality. So what does “excessive” mean in this context?
4.1 What is an abuse of rights?
The Court’s starting point is a basic principle: people cannot misuse EU law to gain an unfair advantage. A request can be called “excessive” under Article 12(5) GDPR if it is essentially an abuse of the right of access. To treat a request that way, the controller must prove two things:
- The objective part: looking at all the facts, the request was not actually made for the reason the right of access exists, even if it ticks all the formal boxes on paper.
- The subjective part: the person deliberately engineered the situation so they could invoke the GDPR and gain an advantage from it.
In short, a request is abusive if the person was not genuinely trying to find out how their data is being used or check whether it is being handled lawfully. Instead, they were using the request to, for example, set up a claim for compensation against the controller.
What should a controller do?
The burden of proof lies with the controller. To refuse or charge for a request on the grounds of excess,
“…the controller must unambiguously demonstrate that the data subject submitted the access request in order to artificially create the conditions necessary to obtain compensation, rather than for any legitimate data protection purpose.”
This is a very high threshold for the controller. Factors that may support that conclusion include:
- Very short period between signing up for a processing activity and submitting a request;
- The data subject has a track record of making similar requests to multiple controllers (as in this case);
- The request is part of a bigger ongoing litigation unrelated to data protection.
Conclusion
This judgement does provide more clarity. The Court has confirmed that a single request can be excessive, meaning controllers are not powerless when faced with what appears to be a bad-faith behaviour, even if it is a first-time request.
In practice, this remains a high bar. Controllers need concrete evidence pointing to an ulterior motive, and they should document that evidence carefully before refusing to act.
The broader takeaway is that GDPR cannot be weaponized, but proving abuse on a case-by-case basis remains an uneasy task for controllers. These ruling changes little in day-to-day practice. What it does do is conform that the door is not completely closed, and that in very specific, well-documented circumstances, refusal is legally defensible.
