Written by privacylawbarrister

Data Subject Access Requests: When can a Controller Reject a Request as Abusive?

The Court of Justice of the European Union (‘CJEU’) has ruled that a data subject access request (‘DSAR’) can be abusive if it is being made solely for the purpose of making a claim for compensation. 

In Brillen Rottler GmbH v TC[1], the data subject had signed up for a newsletter from the optician company. About two weeks after signing up, he made a data subject access request, seeking confirmation that his personal data was being processed and the right of access to it.

The company refused because the requester was known publicly – through reports on the internet and lawyers’ newsletters – to have systematically brought GDPR claims against companies after signing up to their newsletter. The data subject repeated his request, adding a claim for 1,000 euros.

Brillen Rottler argued that because the data subject was notorious for deliberately provoking a GDPR infringement, that it was abusive, and any access request could be ignored outright. It sought a declaration that the data subject was not entitled to any compensation. The referring court was unsure whether Article 12(5) GDPR permitted refusal based on public information, and whether a controller could reject a first-time request on this basis. The court was also wanted to know if a right of compensation arose in these circumstances.

The CJEU was asked for an interpretation on the following:

  • Whether a first-time request made to a controller is capable of being ‘manifestly unfounded or excessive’ under Article 12(5) GDPR; 
  • If a controller can refuse a DSAR where there is publicly available information that show the data subject is making the claim to provoke a GDPR claim; 
  • Whether a data subject has the right to compensation under Article 82(1) GDPR where the basis of the claim – a refusal of access to personal data under Article 15(1) GDPR – does not involve processing of personal data.

Can a request be excessive if it has been made for the first time?

The CJEU stated that because the GDPR does not define what may be regarded as ‘excessive’, it is necessary to consider not just the wording of the provision, but also its context and objectives. It concluded that the fact that both qualitative and quantitative characteristics are referred to in the provision (‘excessive’ and ‘repetitive’) means it can encompass a first-time request (paragraph 25). Further, as a general principle, a data subject cannot rely on EU law to make abusive or fraudulent acts. A controller may therefore rely on Article 12(5) to reject a first-time DSAR if it can establish “an abusive intention on the part of a data subject” irrespective of the number of requests made.[2]

The court went on to state that the concept of ‘excessive requests’ must be interpreted restrictively and the burden of demonstrating the excessive character of the request is on the controller.[3]

To establish a request as excessive, and taking into account all the facts and circumstances, proof requires the following[4]:  

  • Objective circumstances in which the purpose of the data protection rules has not been achieved; and
  • A subjective element: that the data subject intended to use the rules to obtain an advantage.

At paragraph 41, the court stated that in this case the controller would need to “demonstrate unequivocally that the data subject has made [the access request] not for the purpose of being aware of that processing, but for the purposes of artificially creating the conditions laid down for obtaining compensation from that controller.” It is possible to consider public information to establish abusive intentions, so long as it is supported by other relevant material.[5]

The Right to Compensation

The CJEU highlighted that the wording of Article 82(1) contains no reference to ‘processing’ but simply to an infringement of the regulation. This means compensation is not limited to damage resulting from the processing of personal data because this would give it a narrow interpretation, which undermines the effectiveness and purpose of the GDPR.[6]

However, any infringement of the GDPR by itself, does not give rise to a right to compensation. There must also arise material or non-material damage that is caused by the infringement.[7]

The court concluded that the right to compensation also applies in a situation where a data subject is uncertain as to whether their personal data has been processed. However, if the conduct of the data subject causes the damage incurred, the causal link between the alleged infringement and the alleged damage can be broken.[8] It does not apply where the data subject has “artificially created the conditions laid down for the application of that provision.”[9]

Case Comment

Since Brexit, decisions in the CJEU are no longer binding on the UK courts but nevertheless can still be persuasive. While at first blush this case appears helpful to controllers, it is quite narrow in application, establishing only that public information can be used as evidence of a particular modus operandi of the data subject.

Whether Article 12(5) UK GDPR can be applied to a first-time DSAR has not yet been tested. The High Court has been willing to find DSARs abusive under the provision where numerous and repetitive DSARs are made to one particular controller, where the real aim is to obtain documents rather than personal data, and where the data subject has a disingenuous collateral purpose for those documents.[10]

Note that there is a wide divergence between the UK and the CJEU on the interpretation of Article 82 of the GDPR. See my article on the decision of the UK Supreme Court on whether loss of control of personal data can attract compensation (click here).  Unlike in the UK, in the EU, loss of control alone is capable of being damage and fear of future misuse can also qualify if it is well-founded.[11]

If you are interested in any further information or advice, please contact my clerks on 0203 179 2023 or clerks@millenniumchambers.com

This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Copyright @ 2016-2026 Melissa Stock. All rights reserved. The author does not give permission for extraction of data from this site.

[1] C-526/24 ECLI:EU:C:2026:216.

[2] See paragraph 31 of the judgment.

[3] See paragraph 35 of the judgment.

[4] As established in previous cases: FT (Copies of medical records) C-307/22, EU:C:2023:811, Osterreichische Datenschutzbehorde v FR (Excessive Requests) C-416/23 EU:C:2025:3, and Matmut v TN and Others, C-236/23, EU:C:2024: 761)

[5] At paragraph 43 of the judgment.

[6] At paragraphs 49 to 53 of the judgment.

[7] Paragraph 59, citing Osterreichische Post (Non-material damage in connection with the processing of personal data) C-300/21 EU:C:2023:270 and Quirin Privatbank C-655/23 EU:C:2025:655.

[8] Paragraph 65 of the judgment.

[9] Paragraph 66 of the judgment.

[10] Lees v Lloyds Bank Plc [2020] EWHC 2249 (Ch)

[11] See UI v Osterreichische Post, C-300/21 EU:C:2023:370, Gemeinde Ummendorf C-456/22 EU:C:2023:988 and Agentsia po vpisaniyata C-200/20 EU:C:2024:827