On March 19, 2026, the Court of Justice of the European Union (CJEU) issued an important ruling clarifying when a data subject access request (DSAR) may be refused because it constitutes an abuse of rights under the General Data Protection Regulation (GDPR).
The decision CJEU, Case C-526/24, Brillen Rottler addresses a situation that has increasingly concerned companies: the use of GDPR access requests as a litigation strategy to trigger compensation claims.
The Court’s reasoning provides valuable guidance for organizations responding to requests under Article 15 GDPR.
Background of the Case
The dispute arose from a relatively simple situation.
An individual subscribed to a company’s newsletter and provided personal data as part of that subscription.
Thirteen days later, the individual exercised their right of access under Article 15 GDPR, requesting information about the processing of their personal data.
The company refused the request, considering it abusive.
The claimant then sought €1,000 in damages, arguing that the refusal constituted a violation of the GDPR.
The case eventually reached the Court of Justice of the European Union, raising a key legal question:
Can a GDPR access request be rejected when it is exercised solely to provoke a violation and obtain compensation?
The CJEU’s Key Principle: Fundamental Rights Cannot Be Misused
The Court confirmed an important principle of EU law:
A right granted by EU legislation cannot be relied upon for abusive or fraudulent purposes.
This principle applies to GDPR rights, including the right of access to personal data.
The Court therefore recognized that a data subject access request may be refused when it constitutes an abuse of rights.
1. A Single Access Request Can Already Be Abusive
Under Article 12(5) GDPR, a controller may refuse to act on a request that is:
- manifestly unfounded, or
- excessive.
Before this judgment, many practitioners assumed that “excessive” primarily referred to repeated requests.
The CJEU clarified that this interpretation is too narrow.
A request does not need to be repetitive to be abusive.
Instead, the assessment must focus on the purpose and context of the request.
If the request is used in a way that undermines the objective of the GDPR, it may fall within the scope of Article 12(5).
2. The Court Defines the Concept of Abuse of Rights
The CJEU relied on its established case law on abuse of EU law.
Two cumulative elements must be demonstrated.
Objective element
Formally, the request satisfies the legal conditions of Article 15 GDPR.
However, the purpose of the regulation is not achieved.
The right of access exists to allow individuals to:
- understand how their data is processed
- verify the lawfulness of processing
- exercise related rights such as rectification or erasure
It is not intended to artificially create litigation.
Subjective element
There must also be an intention to obtain an improper advantage.
In this case, the alleged strategy consisted of:
- voluntarily providing personal data
- quickly submitting a data access request
- seeking compensation if the company fails to respond perfectly
According to the Court, this behavior may demonstrate a deliberate attempt to misuse the GDPR framework.
3. Indicators of Potential Bad Faith
The CJEU identified several indicators that may suggest an abusive request.
These include:
- the voluntary submission of personal data by the claimant
- a very short time period between providing data and submitting the request
- evidence that the claimant has submitted similar requests to multiple companies
No single factor is sufficient on its own.
However, a combination of these elements may reveal an abuse of rights.
Importantly, the Court emphasized that:
The burden of proving abuse rests on the data controller.
This means that organizations must carefully document the context and circumstances of suspicious requests.
4. Clarification Regarding Compensation Under Article 82 GDPR
The case also addressed the conditions for compensation under Article 82 GDPR.
To obtain damages, three cumulative elements must be established:
- An infringement of the GDPR
- Actual damage suffered by the claimant
- A causal link between the infringement and the damage
The Court highlighted that the causal link may be broken where the claimant has deliberately created the situation giving rise to the alleged harm.
If a person voluntarily submits personal data for the purpose of triggering a GDPR dispute, they cannot rely on that situation to claim damages for loss of control over their data.
Practical Implications for Companies
The Brillen Rottler judgment confirms an important balance within the GDPR framework.
The right of access remains a fundamental right, but it cannot be used as a tool for abusive litigation.
For organizations, the key challenge lies in identifying suspicious requests while maintaining GDPR compliance.
Best practices increasingly include:
- establishing internal procedures for handling data subject requests
- documenting all interactions related to access requests
- conducting legal assessments before refusing a request
Companies that implement structured GDPR governance are significantly better equipped to respond to strategic or potentially abusive requests.
Key Legal Takeaways
The CJEU’s judgment of March 19, 2026 (Case C-526/24, Brillen Rottler) clarifies several important points:
- A GDPR access request can be refused if it constitutes an abuse of rights.
- Repetition is not required; even a first request may be abusive.
- Abuse requires both an objective and a subjective element.
- Controllers must demonstrate abuse using a consistent set of factual indicators.
- Compensation under Article 82 GDPR requires a genuine causal link between violation and damage.
FAQ – GDPR Access Requests and Abuse of Rights
Can a company refuse a GDPR access request?
Yes. Under Article 12(5) GDPR, a controller may refuse requests that are manifestly unfounded or excessive, including requests that constitute an abuse of rights.
Does a request need to be repeated to be excessive?
No. According to the CJEU in Case C-526/24, even a single request may be abusive depending on its context and purpose.
Who must prove that a request is abusive?
The data controller bears the burden of demonstrating the abusive nature of the request.
Can someone claim damages for a refusal of access?
Only if the conditions of Article 82 GDPR are met: a violation of the regulation, actual damage, and a causal link between the two.
Source : https://www.droit-technologie.org/wp-content/uploads/2026/03/CJUE-Arret-rendu.pdf
