The Court of Justice of the EU has clarified that a data subject access request made solely to manufacture a compensation claim, rather than to exercise genuine data protection rights, may lawfully be refused as excessive.

On 19 March 2026, in the case of Brillen Rottler GmbH & Co. KG v TC, the Court of Justice of the European Union (“CJEU”) considered when a data subject access request (“DSAR”) may be refused on the grounds that it is “excessive” and an abuse of one’s data protection rights. The CJEU also considered the circumstances for claiming damages under Article 82 of the GDPR for infringements of the GDPR. 

Summary

In March 2023, an individual, referred to as “TC”, subscribed to the newsletter of Brillen Rottler GmbH & Co. KG (“Brillen Rottler”), a family-run optician company based in Germany. TC entered his personal data in the registration form on the company’s website and consented to the processing of his data. 13 days later, TC sent a DSAR to Brillen Rottler.

Brillen Rottler rejected the DSAR, considering it unlawful under the terms of Article 12(5) of the GDPR, stating that “Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

• charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

• refuse to act on the request.

“The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.”

As a result of Brillen Rottler’s refusal, TC claimed compensation for damages under Article 82 of the GDPR, in the amount of €1,000.

Article 82 of the GDPR provides that “Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.”

Brillen Rottler maintained that TC was not entitled to claim compensation and also argued that it was apparent from various online reports and lawyer blog posts that TC was systematically and abusively making DSARs for the sole purpose of obtaining compensation by alleging infringement of the GDPR. It further claimed that TC was deliberately provoking those infringements using the same modus operandi: subscribing to a newsletter and then submitting a DSAR, followed by a claim for damages.

To determine whether Brillen Rottler was justified in refusing TC’s DSAR under Article 12(5) of the GDPR, the court examined the following question: “Whether an initial access request can be characterised as ‘excessive’, within the meaning of Article 12(5) of the GDPR, where the data subject has made it in order to subsequently be able to obtain compensation from the controller and where publicly available information indicates that, in the event of infringement of the law relating to the protection of personal data, the data subject asserted in a large number of cases his or her right to compensation against the controller.”

The CJEU considered whether an initial access request can be considered excessive. The CJEU held that an initial access request may be regarded as “excessive” where the data controller demonstrates that, in the light of all the relevant circumstances, the request is not made by the data subject for the purpose of being aware of the processing of their personal data and verifying the lawfulness of that processing, in order to be able, subsequently, to obtain protection of their data protection rights, but with an “abusive intention”, such as that of artificially creating the conditions laid down for obtaining an advantage from Article 15 of the GDPR.

The characterisation of a request for access as “excessive” does not require that that request necessarily be made in connection with the submission of a large number of requests by the same data subject.

The CJEU held that the fact that, according to publicly available information, TC made a large number of requests for access to his personal data, followed by claims for compensation, to various controllers, may be taken into consideration for the purpose of establishing the existence of an abusive intention.

The CJEU further considered whether TC was entitled to damages under Article 82 of the GDPR. Under Article 82(1) of the GDPR, “any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.”

The CJEU held that TC was not entitled to compensation for the damage allegedly suffered as a result of the loss of control over his personal data or as a result of his uncertainty as to whether his data had been processed because the causal link was broken by TC’s conduct, in so far as that loss of control or that uncertainty was caused by TC’s decision to submit his data to the company with the aim of artificially creating the conditions laid down for the application of Article 82.

Conclusion

The CJEU’s judgment in Brillen Rottler GmbH & Co. KG v TC provides helpful clarification for when a DSAR may be refused if the request is made with an abusive intention, such as the sole intention of generating a compensation claim, rather than exercising genuine data protection rights. While the burden of proof lies with the data controller to demonstrate this abusive intent, the ruling provides a helpful example of when a DSAR may be considered abusive. The CJEU’s judgement also provides helpful clarification for when a DSAR may be considered “excessive”, noting that this is not limited to when a data controller may receive a large quantity of DSARs by the same individual.