This blog discusses a judgment of the Court of Justice of the European Union (hereinafter: 'the Court') of 19 March, in which the limits of the right of access take centre stage. By means of several preliminary questions, the Court clarified under what circumstances a controller may refuse a first access request within the meaning of Article 15 GDPR on grounds of excessiveness, and when an infringement of the right of access may give rise to compensation under Article 82 GDPR.
The Brillen Rottler case
The preliminary questions arose in the case of Brillen Rottler GmbH & Co. KG against TC, a natural person. The central question is to what extent a controller may refuse an access request within the meaning of Article 15 GDPR. The GDPR provides possibilities to refuse an access request where requests are manifestly unfounded or excessive.
Background to the preliminary questions
Brillen Rottler is a German family business providing optician services that offered the possibility on its website to subscribe to a newsletter. In March 2023, TC subscribed to this newsletter, provided relevant personal data and gave consent for the processing of his personal data. Thirteen days after subscribing, TC submitted an access request to Brillen Rottler. Within one month, Brillen Rottler responded to this access request and rejected it on the grounds that the request was excessive within the meaning of Article 12(5) GDPR. Following the rejection of the request, TC claimed compensation of EUR 1,000 from Brillen Rottler. Brillen Rottler subsequently brought the matter before the court.
At first instance, Brillen Rottler argued that various reports, blogs and legal bulletins showed that TC systematically submits access requests in order to subsequently claim compensation for an alleged infringement of his GDPR rights. The court then referred preliminary questions to the Court of Justice, which the Court grouped into three clusters:
-
Can a first access request be 'excessive' and if so, when?
-
Does an infringement of the right of access give rise to a right to compensation within the meaning of Article 82 GDPR?
-
Does non-material damage also include 'loss of control' over personal data?
A first access request can be excessive
Article 12(5) GDPR provides scope to refuse access requests from data subjects where these are manifestly unfounded or excessive. In practice, the interpretation of the term 'excessive' primarily focuses on the repetitive nature of requests. If a data subject frequently submits the same access request, this may constitute grounds for the controller to reject the access request. In its judgment, the Court takes the view that the term excessive refers to something that "exceeds the ordinary or reasonable measure, or that exceeds the desirable or permitted measure". This means that excessive has both qualitative and quantitative characteristics. On the basis of this finding, the Court rules that it cannot be excluded that a first access request is excessive.
However, the Court emphasises that Article 12(5) GDPR constitutes an exception to the obligation to facilitate the right of access. This exception must be interpreted restrictively. Before a first access request can be qualified as excessive, two cumulative criteria must be met, with the burden of proof resting entirely on the controller. These elements are:
-
The objective element: It must be objectively established that the requester is exercising the right of access without wishing to obtain knowledge of the processing or to verify its lawfulness.
-
The subjective element: It must be apparent that the requester intentionally seeks to obtain an advantage by artificially creating the conditions whereby an advantage arises. Such as, for example, providing personal data oneself in order to subsequently submit an access request.
According to the Court, all circumstances of the case must be taken into account when assessing these elements. Relevant factors include whether the requester provided the personal data without being obliged to do so, the purpose of that provision, the time elapsed between that provision and the access request, and the requester's conduct. To prove the requester's intent, the controller may use publicly accessible information showing that the requester is abusing their right. The condition for establishing abuse is that the public information is confirmed by other relevant data.
Infringement of the right of access gives rise to a right to compensation
The second preliminary question concerned whether Article 82(1), on compensation and liability, must be interpreted as meaning that the requester is entitled to compensation in the event of an infringement of the right of access under Article 15(1). The Court confirms this interpretation. Article 82(1) refers to an 'infringement of this Regulation' rather than an infringement of a processing operation. Moreover, infringements of Chapter 3 of the GDPR consist of a refusal to comply with a request and not of infringing a processing operation. If Article 82 GDPR were limited solely to processing damage, an infringement of Chapter 3 GDPR could never lead to an obligation to compensate. This would undermine the effectiveness of the provision, thereby significantly weakening the rights of data subjects under the GDPR.
Does non-material damage also include "loss of control" over personal data?
With regard to the third question, the Court rules that non-material damage may include the loss of control over personal data and over the processing of personal data. However, conditions are attached to this:
The data subject must have actually suffered damage. Claiming compensation solely because personal data may possibly be misused in the future is therefore insufficient. The court will in that case examine whether the fear can be considered well-founded in that specific case. The Court adds a nuance here: the connection between the infringement and the damage may be broken by the requester's conduct. If the loss of control over personal data was caused by the requester's own decision to provide data with the aim of artificially creating conditions for compensation, that damage is not eligible for compensation.
What does this judgment mean for practice?
The Court confirms that a single access request can be excessive. In practice, this means that the controller, when assessing an access request, may look at the requester's behavioural pattern. On the basis of the requester's conduct, the controller can assess whether the request is submitted to be informed about a processing of personal data, or whether it is submitted to force compensation. The following behavioural patterns may help in this regard:
-
The requester provides personal data voluntarily.
-
The time between providing personal data and submitting an access request is very short.
-
The requester makes similar requests to other controllers.
In practice, this exception will not be readily applicable. The evidentiary threshold is very high, making it unlikely that a controller will be able to meet it. Moreover, in few cases will a controller obtain information about the requester clearly showing that the requester has submitted a similar access request to many other controllers, or that they intend to abuse their GDPR rights for personal gain. Nevertheless, this judgment confirms that the controller need not be powerless when it is clear that access requests are being submitted with the intention of abusing GDPR rights.
Would you like to read more case laws? View our data & privacy case law blog for march 2026 here.
