26.03.2026
Gernot Fritz, Tanja Pfleger
In its judgment of 19 March 2026 in case C-526/24 (Brillen Rottler), the CJEU addressed key practical questions on the interplay between the right of access, the concept of abuse, and damages under the GDPR. The Court clarified, on the one hand, that controllers may, in exceptional circumstances, rely on the excessive or abusive nature of even a first access request. On the other hand, it made equally clear that a breach of the right of access under Article 15 GDPR can, in itself, give rise to a claim for damages under Article 82 GDPR. In doing so, the Court sharpens the boundaries between legitimate exercise of rights and abuse, without undermining the right of access as a core data subject right.
The case arose from a scenario that is increasingly familiar from a business perspective: a data subject subscribed to a newsletter, shortly thereafter submitted an access request under Article 15 GDPR, and subsequently claimed non-material damages. The company refused to respond, arguing that the request was abusive and intended to provoke damages claims. The referring German court therefore sought clarification, in particular, on whether even a first access request can be “excessive” and whether a mere infringement of the right of access can give rise to damages.
A first access request can exceptionally be excessive
Notably, the CJEU does not exclude a first request under Article 15 GDPR from the scope of Article 12(5) GDPR. According to the Court, even an initial access request may be considered “excessive” where the controller demonstrates, in light of all relevant circumstances, that the request was not made to become aware of the processing or to verify its lawfulness, but rather for abusive purposes – for example, to artificially create the conditions for obtaining a benefit under the GDPR, in particular a damages claim.
At the same time, the Court emphasises that this remains an exception. The threshold is high, the concept must be interpreted narrowly, and the burden of proof lies with the controller.
For practice, this is a key clarification. This judgment does not mean that companies can routinely invoke abuse in response to inconvenient or “suspicious” requests. Rather, the CJEU requires clear evidence that the right of access is being misused for purposes other than those intended by the GDPR. Publicly available information suggesting that an individual has pursued similar patterns of requests followed by damages claims may serve as an indication – but it will not be sufficient on its own. The decisive factor remains the overall assessment of the specific case.
The CJEU safeguards the right of access – despite the abuse exception
From a doctrinal perspective, the decision fits well into the CJEU’s existing case law. The Court once again underlines that the right of access is a central mechanism of the GDPR, enabling data subjects to gain transparency and verify the lawfulness of processing. Precisely for that reason, the abuse exception must not be interpreted too broadly.
For companies, this is a useful clarification, but not a general relief. Any reliance on Article 12(5) GDPR requires a solid factual basis, and courts can be expected to apply this exception cautiously. Mere discomfort with the applicant’s motives will not suffice. Nor will it generally be enough that a request is submitted shortly after data collection or accompanied by legal claims. What matters is whether abusive intent can be established on both an objective and subjective level.
Damages also for mere infringement of the right of access
Even more significant for day-to-day advisory work is the second core finding: according to the CJEU, Article 82(1) GDPR does not require that the claimed damage stems directly from a separate act of data processing. A breach of a data subject right – in this case, the right of access under Article 15(1) GDPR – may itself give rise to compensable damage.
In other words, unlawfully refusing to provide access may, in itself, trigger liability under Article 82 GDPR.
This approach is consistent. Limiting Article 82 GDPR to damages resulting from “processing operations” in a narrow sense would deprive core data subject rights of their practical effectiveness. The Court explicitly avoids this outcome, emphasising that Chapter III GDPR strengthens data subject rights and that Article 82 must also cover their infringement as an effective remedy.
For practice, this means that incorrect or refused responses to access requests are not merely a regulatory issue, but may have direct civil liability consequences. Companies should therefore treat access request handling not as an administrative side issue, but as a core compliance function with liability implications.
Loss of control and uncertainty may constitute non-material damage – but not automatically
The CJEU confirms its established approach to non-material damage. A loss of control over personal data or uncertainty as to whether such data are being processed may, in principle, constitute non-material damage within the meaning of Article 82 GDPR.
At the same time, the Court reiterates that a GDPR infringement does not automatically give rise to a damages claim. The data subject must demonstrate actual damage and a causal link between the infringement and that damage. A mere assumption is not sufficient.
The Court thus maintains a balanced position. On the one hand, it rejects any de minimis threshold and recognises loss of control as a potentially compensable harm. On the other hand, it continues to require a real and demonstrable damage and a concrete causal link. This is particularly relevant in the context of strategically submitted access requests: where the data subject has effectively engineered the situation leading to the alleged damage, causation may be lacking.
What does this mean for companies?
The judgment does not revolutionise existing practice, but it recalibrates it in important respects. Companies gain a potentially useful – but narrowly confined – argument against clearly abusive access requests. At the same time, the practical importance of well-structured access request processes increases further, as the CJEU reinforces the liability implications of infringements of Article 15 GDPR.
From an operational perspective, there is much to be said for reviewing and refining internal processes for handling data subject requests. This includes consistent documentation, clear decision-making criteria for potential abuse scenarios, robust escalation paths, and careful reasoning where reliance on Article 12(5) GDPR is considered. Rejecting access requests prematurely will increasingly expose companies to damages claims.
Conclusion
With its judgment in Brillen Rottler, the CJEU establishes a balanced yet demanding framework. The right of access remains a strong data subject right and cannot be dismissed merely because a request appears strategic or confrontational. In exceptional cases, however, even a first request may be abusive and thus excessive. At the same time, the Court makes it clear that infringements of the right of access must be taken seriously from a liability perspective.
The practical takeaway is clear: the abuse defence should be used with great caution – while access request processes require the highest level of care.
Because the real risk often lies in the process, not the request. We are happy to support you in assessing the impact of this decision on your organisation and with data subject access requests.
