When GDPR Rights Are Used Strategically: ECJ Clarifies Limits On Access Requests

Can a data subject use GDPR access rights as a tool to trigger compensation claims?

In its recent judgment in Brillen Rottler (C-526/24), the European Court of Justice addressed this question directly, confirming that — in certain circumstances — even a first access request may be considered abusive where it is made to create the basis for a damages claim.

Facts of Case:

• In March 2023, an individual residing in Austria subscribed to the newsletter of the family run optician company Brillen Rottle that was available on the company's website, thereby consenting to the processing of their personal data.
• Thirteen days later, the individual submitted a request for access under Article 15 of the General Data Protection Regulation (GDPR). According to Article 15, a data subject has the right to obtain from the data controller a confirmation as to whether or not their personal data that concerns them are being processed, and, if so, the right of access to such data and the related information.
• Brillen Rottler refused the request arguing that it was abusive. According to Brillen Rottler (the data controller), various publicly available information (e.g. blog articles, reports, lawyers' newsletters) show that such individual deliberately and repeatedly subscribes to newsletters of various companies before submitting a request for access and subsequently a claim for compensation.
• The data subject subsequently not only pursued her access request, but also brought a claim for non-material damages under Article 82 GDPR, seeking compensation of €1,000.
• The Local Court, Arnsberg, in hearing the dispute asked the European Court of Justice whether a first request for access to personal data made by the data subject may be regarded as ‘excessive' and whether that data subject is entitled to compensation for the damage resulting from an infringement of the right of access to those data.
• The European Court of Justice, in its recent judgment issued on the 19^th of March 2026, replied that under certain circumstances, a first request for access may be deemed as ‘excessive' and can therefore constitute as abusive within the meaning of the GDPR.
• That is the case where the data controller demonstrates that, despite formal observance of the conditions laid down by the GDPR for making a request for access, that request was made not for the purpose of being aware of the processing of the data and verifying the lawfulness of that processing, but with the intention, which may be characterised as ‘abusive', of artificially creating the conditions laid down for obtaining compensation under the GDPR.
• The fact that, according to publicly available information, the data subject has made a large number of requests for access to their personal data, followed by claims for compensation to various controllers, may be taken into consideration for the purpose of establishing the existence of such an abusive intention.
• In addition, a person who has suffered material or non-material damage as a result of an infringement of the GDPR, including an infringement of the right of access to his or her personal data, has the right to receive compensation from the controller for such damage. The Court states, however, that, in order to obtain such compensation, the data subject must demonstrate, inter alia, that they have actually suffered such damage. Furthermore, the data subject cannot receive compensation for damage under the GDPR if their own conduct is the determining cause of the damage.
• It is for the Local Court, Arnsberg, to resolve the dispute before it, taking into account the answers given by the Court of Justice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.