European Union: Court of Justice of European Union issued judgment clarifying abusive data access requests and compensation rights under General Data Protection Regulation

On 19 March 2026, the Court of Justice of the European Union (CJEU) issued a judgment in Case C-526/24 (Brillen Rottler GmbH & Co. KG v TC) on a reference from the Local Court Arnsberg in Germany. The case arose from a request by an individual who, 13 days after subscribing to the newsletter of German optician Brillen Rottler GmbH & Co. KG and providing personal data, submitted a request for access under Article 15 of the General Data Protection Regulation (GDPR). The company refused the request as abusive and subsequently claimed before the referring court that the individual engaged in similar conduct across multiple controllers to generate compensation claims. The Court held, firstly, that a first request for access under Article 15 of the GDPR may be deemed excessive under Article 12(5) where the controller demonstrates, in light of all relevant circumstances, that the request was made with abusive intent rather than to verify the lawfulness of data processing, such as where the data subject artificially creates conditions to obtain compensation. Such refusals must be interpreted restrictively and the burden of proof lies with the controller. Evidence of repeated requests followed by compensation claims to other controllers may be taken into account. Secondly, the Court held that data subjects have a right to compensation under Article 82(1) of the GDPR for infringements of the right of access, even without unlawful data processing as such. Thirdly, non-material damage under Article 82(1) may include loss of control over personal data or uncertainty about its processing, provided the data subject demonstrates actual damage and that their own conduct was not the determining cause of that damage.