Share This Article
With its judgment in Brillen Rottler (C-526/24), the Court of Justice of the European Union (CJEU) has now clarified that, under specific circumstances, a data controller is entitled to refuse an access request — even if it is the first one submitted by the data subject.
This is the real turning point of the decision.
The key principle: access requests can be rejected if abusive
The CJEU explicitly confirmed that a request under Article 15 GDPR may be considered “excessive” and therefore refused under Article 12(5) GDPR, where it is abusive.
Importantly, this is not limited to repetitive requests.
- Even a first access request can be rejected
- The decisive factor is not frequency, but purpose
According to the Court, a request is abusive where it is made:
- not to understand how personal data is processed;
- but to artificially create the conditions for claiming compensation under the GDPR.
This clarification significantly expands the practical scope for refusing access requests.
From formal compliance to purpose-based assessment
The decision introduces a substantive assessment of intent.
Until now, controllers were generally expected to comply with access requests unless they were manifestly unfounded or repetitive. The CJEU now makes clear that formal compliance with GDPR requirements is not sufficient if the underlying purpose is abusive.
This means that companies may:
- assess the broader context of the request;
- consider patterns of behaviour;
- rely on evidence suggesting strategic or systematic litigation conduct.
For example, the Court acknowledged that repeated requests followed by compensation claims across multiple organisations may indicate abusive intent.
But the threshold remains high
While the judgment opens the door to rejecting access requests, it does not lower the bar.
The burden of proof remains on the controller.
This creates a delicate situation:
- rejecting a request without sufficient evidence may itself breach the GDPR;
- complying with abusive requests may expose companies to opportunistic claims.
In practice, this means that refusal must remain the exception, not the rule.
Compensation claims: no automatic entitlement
The CJEU also reinforces that damages under the GDPR require actual harm.
To succeed in a compensation claim, the data subject must prove:
- a GDPR infringement;
- actual material or non-material damage;
- a causal link between the two.
Crucially, the Court clarifies that no compensation is due where the damage is caused by the data subject’s own conduct.
This is particularly relevant where access requests are used strategically to trigger claims.
Operational impact: a new compliance dilemma
This judgment has immediate practical implications.
Companies should now reassess how they handle access requests, particularly in scenarios involving:
- repeated or patterned requests;
- short time gaps between data provision and access requests;
- indications of litigation-driven behaviour.
At the same time, organisations must implement robust internal processes to:
- document evidence of potential abuse;
- ensure consistency in decision-making;
- involve legal teams in high-risk cases.
A broader shift in GDPR enforcement?
The ability to reject a GDPR access request in case of abuse reflects a broader evolution in EU data protection law.
The GDPR was designed to empower individuals — but not to enable systematic exploitation of its mechanisms.
The CJEU is now sending a clear message:
Data subject rights are fundamental, but they are not immune from limits when used in bad faith.
What’s next?
The Brillen Rottler decision marks a critical clarification: GDPR access requests are not absolute — they can be rejected when abusive.
For companies, this creates both an opportunity and a risk:
- an opportunity to push back against strategic misuse;
- a risk of misjudging intent and triggering non-compliance.
The real challenge going forward will be operational:
How can organisations confidently identify abusive requests without undermining legitimate data subject rights?