I. Introduction
When the law confers rights on individuals, there is the risk that those rights may be exercised in ways that are unjust or pursue aims falling outside their intended purpose. In the context of the General Data Protection RegulationFootnote 1 (GDPR), a significant practical scenario concerns abusive access requests by data subjects. Such requests formally seek from the controller confirmation of whether and what personal data are being processed, yet are not driven by a genuine interest in that information, but rather by the intention to provoke a refusal and subsequently bring a claim for compensation.
On 19 March 2026, the Court of Justice of the EU (the “Court”) delivered its judgment in Brillen Rottler v TC, Footnote 2 a preliminary ruling addressing questions regarding the circumstances under which access requests may constitute an abuse of rights as well as the remedies where a refusal to respond is not justified. The relevant legal framework is shaped by Article 15(1) GDPR, which establishes the data subject’s right of access, and Article 12(5) GDPR, which permits controllers to refuse requests that are manifestly unfounded or excessive, in particular due to their repetitive nature. In addition, Article 82(1) GDPR provides a right to compensation for damage resulting from infringements of the Regulation. Against this background, Brillen Rottler engages with the need to strike a balance between safeguarding the fundamental right to data protection, which expressly includes the right to access,Footnote 3 and preventing abusive procedural practices.
II. Facts
The reference for a preliminary ruling arose in proceedings before the Local Court of Arnsberg, Germany, initiated by Brillen Rottler, a German family-run optician company. The case originated from the actions of TC, a natural person resident in Austria, who subscribed to the company’s newsletter by entering his personal data in an online registration form. Only thirteen days later, TC submitted an access request under Article 15 GDPR. Brillen Rottler refused the request on the ground of alleged abuse of rights. TC maintained his request and additionally claimed € 1000 in compensation under Article 82 GDPR.
Brillen Rottler subsequently sought a declaration before the referring court that TC was not entitled to such compensation. In support of its refusal, it relied on various online reports, blog posts, and legal newsletters, arguing that these indicated a pattern of conduct whereby TC systematically submits access requests solely to provoke refusals and pursue compensation claims. According to the company, subscribing to newsletters, followed by access requests and claims for compensation, formed TC’s modus operandi. TC, by contrast, pursued his claim for compensation by way of a counterclaim, which he based on the non-material damage allegedly suffered as a result of the refusal to grant him access to his personal data.
The referring court submitted eight questions to the Court, primarily concerning the interpretation of Articles 12(5) and 82 GDPR. Following the Opinion of Advocate General Szpunar, the Court addressed them in three parts. The first concerned whether, and under what conditions, even a first access request to a controller may be considered “excessive.” In particular, the referring court wondered whether a controller may rely on publicly available information about a data subject’s conduct when refusing to act on a request.
The second and third parts concerned the scope of the right to compensation under Article 82 GDPR. The referring court sought clarification on whether damages may be claimed for an infringement of the right of access as such. Its doubts arose from recital 146 GDPR, which states that compensation is due for damage suffered “as a result of processing that infringes this Regulation.” It therefore asked whether an access request itself constitutes “processing” of personal data, or whether the right to compensation arises independently of any processing. Finally, the referring court sought clarification on whether an unjustified refusal of access can in itself give rise to non-material damage, notably in the form of loss of control over personal data or the uncertainty resulting from the infringement.
III. Judgment
To begin with, the Court adopted a qualitative understanding of excessiveness under Article 12(5) GDPR, holding that even a first request for access may be considered excessive. In its reasoning, the Court first referred to the wording of the provision and the usual meaning in everyday language, in which the term “excessive” denotes something that exceeds a desirable or permissible amount and thus goes beyond merely quantitative aspects.Footnote 4 Moreover, the reference to the repetitive character of a request in the provision serves only as an example.Footnote 5 Considering the wider context, the Court emphasised that the possibility for controllers to refuse manifestly unfounded or excessive requests is exceptional and must be interpreted restrictively.Footnote 6 The Court further referred to its decision in Österreichische Datenschutzbehörde, Footnote 7 where it interpreted the parallel provision in Article 57(4) GDPR regarding excessive requests to a supervisory authority. There, it understood this provision to be an expression of the general principle that EU law cannot be relied on for abusive or fraudulent ends, which can be transposed to the present case, as Article 12(5) GDPR is worded in similar terms and pursues the same objective.Footnote 8 Accordingly, the Court did not find the number of requests, as such, determinative for the controller’s option of not acting on a request for access. Finally, the judgment also stresses the consistency of this result with the broader objectives pursued by the GDPR, as the protection of personal data is not absolute but to be considered in relation to its societal function and other fundamental rights.Footnote 9
Given the exceptional nature of the provision, the Court held that strict criteria must be met to demonstrate that even a first request is excessive. In line with prior case law, an abusive practice requires an objective and a subjective element. For the objective element, there must be circumstances in which EU rules are formally observed, but their purpose has not been achieved. In this regard, the Court recalled that Article 15 GDPR aims to allow data subjects to be aware of the processing of their personal data and to verify its lawfulness, thereby enabling them to exercise their rights, including claims for compensation.Footnote 10 The subjective element requires the controller to demonstrate “unequivocally” that the purpose of the request was not to be aware of the processing but to artificially create the conditions for obtaining compensation.Footnote 11 The Court emphasised that all circumstances of the case are to be taken into account, including whether the personal data were provided voluntarily, the aim of providing them, the time elapsed before the access request was made, and the data subject’s conduct.Footnote 12 Public information indicating a systematic use of requests and claims for compensation to various controllers, following a modus operandi like in the present case, can be considered but must be supported by other relevant material.Footnote 13
In the second part, the Court addressed the interpretation of Article 82(1) GDPR. Relying on the provision’s wording and its systematic position, it ruled that compensation may be claimed for damage resulting from an infringement of the right of access.Footnote 14 The Court rejected the argument that unlawful data processing is required for compensation. First, this is because such requirement would exclude refusals to provide access from the scope of the right, as the infringement in these cases is not linked to the processing of personal data as such.Footnote 15 Second, in previous case law, infringements of certain other provisions of the GDPR were not seen to constitute unlawful processing, thus excluding the rights to erasure or restriction of processing in these cases. Therefore, the Court argued that such infringements must be remedied by recourse to other measures, including the right to compensation for any damage caused.Footnote 16 Third, a teleological interpretation further supports this view, as limiting compensation solely to unlawful processing would significantly weaken the right of access.
The third part of the judgment addresses non-material damage resulting from unlawful refusals to provide access. The Court held that the loss of control over personal data or the uncertainty as to whether they have been processed is encompassed by non-material damage as an autonomous concept of EU law. Consistent with previous case law,Footnote 17 there is no minimum threshold for such damage; however, mere allegations of fear caused by a loss of control are not sufficient and must be assessed by the national court as well-founded.Footnote 18
IV. Comment
1. Abuse of rights under EU law
The judgment centres around the prohibition of abuse of EU law. In general terms, the prohibition of abuse of rights operates as a corrective mechanism that limits the strict application of legal rules in situations where the formal conditions of a rule are satisfied but the outcome of its application runs counter the objective of that rule.Footnote 19 The prohibition thus addresses the anti-purposive use of a formally satisfied right. While rooted in the private law systems of most Member States,Footnote 20 its precise legal nature has long been the subject of discussion.Footnote 21 The Court first engaged with the concept in the context of free movement law, beginning with the judgment in van Binsbergen Footnote 22 and followed in other free movement cases.Footnote 23 Essentially, this earlier case law concerned the possibility of Member States to address the circumvention of national rules through the abusive exercise of EU free movement rights.
Subsequent rulings have broadened the scope of the concept. In the key ruling in Emsland-Stärke, the Court developed a test for establishing abuse of rights that is independent of any circumvention of national law,Footnote 24 and has since applied this test across a number of areas beyond primary law. Emsland-Stärke itself concerned export refunds, and was later relied upon, for example, in tax lawFootnote 25 and consumer lawFootnote 26 . The test comprises two cumulative elements, an objective element that requires that the purpose of the EU rule has not been achieved despite formal observance of the conditions, and a subjective element that requires the intention to obtain an advantage by artificially creating the conditions laid down for it. It is current settled case law that the prohibition of abuse of EU law constitutes a general principle of EU law.Footnote 27 Not least to note, this principle is also reflected in Article 54 of the Charter.
2. Bringing the two-part abuse test to the GDPR
As secondary legislation often serves to specify and give concrete effect to general principles, Brillen Rottler builds on FT and confirms that Article 12(5) GDPR constitutes an expression of the general principle prohibiting abuse of rights, concretised through the notions of “manifestly unfounded” or “excessive” requests.Footnote 28 In the context of access requests, the latter notion is of particular relevance, since those requests are not subject to substantive conditions and therefore cannot be unfounded on their merits. Following a convincing finding that even initial requests may be excessive, which appears well supported particularly by the provision’s wording, the core of the Court’s reasoning concerns the two-step abuse test drawn from the Emsland-Stärke line of cases. In this regard, the ruling principally aligns well with the prior judicial evolution of this principle.
Compared to Österreichische Datenschutzbehörde, where the Court addressed only the requirement of abusive intention as a precondition for excessiveness under Article 57(4) GDPR,Footnote 29 Brillen Rottler is more explicit in invoking the established two-part test and clearly distinguishes between the objective and subjective elements. The application of the test in the present case is, however, not straightforward. Particularly intricate is the objective element, requiring a combination of circumstances in which, despite formal observance of the conditions laid down by the EU rules, the purpose of those rules has not been achieved. Determining whether this is satisfied hinges on how the purpose of the rule in question is interpreted. The Court holds that the purpose of Article 15 GDPR is to confer a right of access to essentially verify the lawfulness of the data processing and to be able to exercise the respective rights, including that for compensation. Yet, with this understanding of the purpose, it appears to be objectively fulfilled even where the refusal of access and the subsequent compensation claim have been deliberately provoked. While the Court and the Advocate General also note this tension,Footnote 30 it is not made clear how the objective assessment is applied in such cases. The Advocate General found it expedient, where the aim of the rule appears a priori to be achieved, to “begin” by analysing the subjective element.Footnote 31 After doing so, he did, however, not turn to addressing the application of the objective element specifically, and he linked his proposed answer to the referred question instead to the demonstration of the data subject’s abusive intention. The Court, on the other hand, includes both elements as cumulative conditions in its answer, but its only remark on the purpose of Article 15 GDPR formally being fulfilled is that this does not in itself rule out the excessiveness of a request.Footnote 32
Overall, this does not reflect a two-step approach composed of clearly delineated stages, as suggested by the Court. The Court’s analysis ultimately builds on Österreichische Datenschutzbehörde and centres on abusive intention, yet the objective circumstances drive the assessment and also carry much of the weight formally attributed to the subjective element. In this respect, the objective and subjective components are more closely intertwined than the formal test might first suggest. The subjective element thus has an objective value, which is significant given the practical difficulties of investigating motives of natural persons.Footnote 33 This is also in line with the Court’s insistence that the abuse assessment must rest on objective evidenceFootnote 34 and with the “objectification” of intentional elements in other areas of EU law.Footnote 35
Furthermore, reliance on an abusive intent as a separate condition sits in tension with FT, where the Court held that data subjects are not obliged to state reasons for their access request and may pursue reasons not related to become aware of the lawfulness of the processing.Footnote 36 The Court thus seems to require an abusive intent in a context where the motivation behind exercising the right was not deemed relevant. In this light, Brillen Rottler lacks clarity in the relation between objective and subjective elements. They may better be understood as two perspectives on the same underlying question, namely if the formally legal conduct is artificially creating an outcome against the objective of the invoked rule.
3. Abuse of rights in the Digital Omnibus proposal
The rules on abuse of rights are currently under discussion in the context of the proposed Digital Omnibus package,Footnote 37 which seeks to simplify and clarify digital rules and specifically addresses the abuse of the right of access under the GDPR. The proposed revision of Article 12(5) GDPRFootnote 38 involves two key changes. For one, it adds as an example of manifestly unfounded or excessive requests that a data subject abuses their rights “for purposes other than the protection of their data”. This is somewhat circular. While FT and Brillen Rottler treat excessiveness as an expression of abuse of rights, the proposed version frames an abuse as an example of excessiveness. More fundamentally, grounding the assessment only in the data subject’s motive for exercising the right cannot, in light of the remarks above, be reconciled with existing case law, and effectively adds a motive condition into the right of access. It is also unclear what qualifies as data protection purposes, given that in practice access requests typically serve an ancillary function in support of legal disputes in other contexts.Footnote 39 The amendment thus appears to go beyond the current interpretation, though this does not seem to be the purpose of the revision.Footnote 40
The second change would lower the burden of proof for controllers. Whereas Article 12(5) GDPR requires demonstrating the “excessive character of a request,” the proposed version would require only “reasonable grounds to believe” that the request is excessive. This adjustment is intended to reflect the difficulty that the possibly abusive conduct of a data subject lies primarily outside the controllers’ sphere of influence.Footnote 41 Together with the very broad framing of an abuse, this risks undermining the exceptional character of the provision in practice,Footnote 42 which is problematic given the already rather limited level of compliance with the access right.Footnote 43
V. Conclusion
This judgment does not introduce any far-reaching changes, but its contribution lies in extending earlier guidance on abuse of rights both within and beyond the data protection context. Despite the difficulties that the suggested two-part test gives rise to, the Court still provides additional clarity on the abusiveness of access requests as well as on the application of Article 82(1) GDPR to refusals to provide access. This strengthens the position of controllers in defending against abusive practices by data subjects and illustrates the special character of abuse of rights as a general principle that serves to limit, rather than protect, the exercise of rights.Footnote 44 The judgment does not, however, weaken the level of protection of data subjects. Rather, it delineates how the principle applies in the exceptional cases where the conditions of the compensation right under the GDPR are artificially created. The Digital Omnibus proposal, by contrast, risks unsettling this balance by broadening the provision and resting the finding of abuse on the data subject’s motivation, a criterion that raises concerns having regard to the case law and practical enforcement.
Competing interests
The author has no competing interests to declare.