When Does A First DSAR Become Excessive: Implications Of The CJEU's Brillen Rottler Decision

When can a data access request cross the line from legitimate to abusive? On 19 March 2026, the CJEU ruled in Brillen Rottler (Case C-526/24) that even a first DSAR can be refused under Article 12(5) GDPR as "excessive" where the controller demonstrates it was made with abusive intent. 

Key findings include:

• Decisive factor is intent not just the number of requests: Whether a request is "excessive" turns on both qualitative and quantitative characteristics. While frequency or repetition may be indicators, the data subject's intent is the more decisive factor.
• Burden of proof: Abusive intent must be demonstrated by the controller. Relevant circumstances to consider include the time elapsed between the provision of the data and the access request, the data subject's conduct (such as repeated DSARs followed by compensation claims across multiple controllers), and the underlying objective of the request.
• Exceptional for first-time requests: Reliance on Article 12(5) in respect of first-time requests should remain exceptional. The high evidential threshold remains and controllers are subject to strict criteria where a request is the first of its kind.
• Compensation requires actual damage: Article 82(1) GDPR provides a right to compensation for damage stemming from an infringement of Article 15(1) GDPR (such as where the refusal process is defective), regardless of whether the infringement involved unlawful processing. However, compensation is excluded where the data subject's own conduct was the decisive cause of the damage. 

The judgment arguably tightens the reins on mass‑claim strategies, while also recognising that the lower threshold of “uncertainty” about processing may still amount to non‑material damage. The message is clear: the GDPR protects individuals, not opportunistic behaviour; but controllers must be ready to evidence abuse and justify refusals.

The rest of this article provides a little more detail and commentary regarding the judgement.

The facts 

The case concerned an Austrian individual who subscribed to the newsletter of German optician Brillen Rottler by entering his personal data into the website registration form and consenting to its processing. Thirteen days later, he submitted a DSAR under Article 15 GDPR.

Within one month, Brillen Rottler refused the request under Article 12(5) GDPR, considering it abusive, and invited the individual to withdraw it. The company relied on publicly available information suggesting that he had systematically submitted DSARs to various controllers solely to obtain compensation for alleged GDPR infringements he had deliberately engineered.

When the individual maintained his access request, he added a claim for €1,000 in non‑material damages under Article 82 GDPR. Brillen Rottler sought a declaration before the local court in Arnsberg that no compensation was payable. The individual counterclaimed, and the court referred eight questions to the CJEU.

A DSAR can be "abusive" even if it is the first request 

Art 12(5) GDPR permits controllers to refuse to act on requests, or charge a reasonable fee, where they are "…manifestly unfounded or excessive, in particular because of their repetitive character…"

Article 12(5) is a relatively high bar: according to the European Data Protection Board ("EDPB") and various national regulators (such as the UK ICO), controllers must prove the request is unreasonable and that it is not merely burdensome or large in volume. The Irish Data Protection Commissioner has also stated "There should be very few cases where a controller can justify a refusal of a request on this basis."

In Brillen Rottler the CJEU held that a first request for access may be regarded as "excessive", although such a case should remain exceptional. The court noted:

• Recital 4 GDPR makes clear that the right to data protection is not an absolute right and must be balanced against other fundamental rights in line with proportionality.
• The term "excessive" relates both to qualitative and quantitative characteristics and does not exclude first-time requests.
• As set out in the Advocate General's Opinion (point 28), repetitive character is referred to in Article 12(5) solely by way of example, therefore for a request to be excessive it does not require a large number of requests by the same data subject. 

Article 12(5), it said, reflects the broader EU principle that individuals cannot rely on EU law "for abusive or fraudulent ends". However, the CJEU emphasised that controllers are subject to strict criteria where the request is the first of its kind.

Controllers must prove the abuse

Article 12(5) clearly places the burden of proof on the controller. Demonstrating abuse requires evidence of: 

• objective circumstances showing that the purpose of Article 15 GDPR (i.e. enabling the data subject to be aware of the processing and to verify its lawfulness) has not been achieved; and 
• a subjective element where the data subject's intention is "to obtain an advantage from the GDPR by artificially creating the conditions set out for obtaining it". 

The decisive factor is intent not just the number of requests

To satisfy the subjective limb, the controller must establish, "having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of the data subject".¹

An abusive intention may be found "where the data subject has made that request for a purpose other than that of being aware of the processing of those data and verifying the lawfulness of that processing." The controller must show "unequivocally" that the data subject has "submitted a DSAR in order to artificially create conditions laid down for obtaining compensation from that controller". 

Examples of the relevant circumstances of the case to consider include the time elapsed between the provision of the data and the access request; the conduct of the data subject; and the underlying objective of the request.

Evidence of a pattern of behaviour can be relied on

The CJEU confirmed that controllers may use publicly available information to help demonstrate abusive intent, such as evidence that the data subject has made repeated DSARs followed by compensation claims across multiple controllers, provided this is supported by other relevant material.

Compensation under Art 82 requires actual damage and uncertainty is compensable

The court held that Article 82(1) GDPR confers a right to compensation for damage stemming from an infringement of Article 15(1) GDPR (e.g. if the refusal process is flawed), regardless of whether the infringement involved unlawful processing.

It further clarified that non-material damage includes loss of control over personal data and uncertainty as to whether data has been lawfully processed. However, the data subject must still prove a GDPR infringement, actual damage, and a causal link – and his or her own conduct cannot be the decisive cause of that damage. 

Recognising “uncertainty” as damage arguably lowers the threshold for data subjects seeking compensation.

Commentary

The judgment offers controllers slightly greater flexibility to refuse DSARs not genuinely aimed at verifying the lawfulness of processing, although the evidential burden remains high. It signals clearly that GDPR rights cannot be weaponised or relied upon for abusive or opportunistic ends, albeit it will likely be rare that there is sufficient evidence to meet the threshold of an abuse of process. 

French perspective: DSARs as a litigation tool in employment disputes

In France, the CJEU's reasoning in Brillen Rottler resonates particularly strongly in the employment context, where DSARs are increasingly weaponised as tactical instruments or "fishing expeditions" by employees seeking leverage in disputes. French courts² have, in recent months, drawn a consistent line: Article 15 confers a right to personal data, not to documents, and controllers may respond proportionately to requests that are disproportionately broad or pursue purposes extraneous to the right of access.

This emerging jurisprudence sends a clear signal: the GDPR is not a backdoor to documentary disclosure that would otherwise be unavailable in litigation. 

Brillen Rottler therefore reinforces an approach already emerging in French employment litigation. Timing, scope and context matter. Where a DSAR is made on the eve of a dispute, framed in unusually broad terms, or coupled with compensation claims, this may support an inference that the request pursues a purpose foreign to the right of access. While refusals remain exceptional and tightly policed, the focus on intent and proportionality strengthens the defensive toolkit available to employers faced with tactical DSARs.

The message for French employers is therefore nuanced: Article 12(5) is not a licence for blanket refusals, but it can operate as a narrow shield against abusive strategies, provided the refusal is carefully reasoned, proportionate and fully documented.

UK perspective: Assistance will depend on context

While Brillen Rottler applies only in the EU, the ruling is consistent with guidance from the ICO relating to the same language of "manifestly unfounded or excessive" in the UK GDPR. The ICO considers a request may be manifestly unfounded if a data subject "clearly has no intention to exercise their right or if the request is malicious in nature". 

In an employment context, the decision of Brillen Rottler is unlikely to shift the dial significantly. DSARs have long been a feature of employment disputes, by employees seeking leverage (given the potential cost in producing a response) or attempting to circumvent the lack of pre-action disclosure in UK employment tribunals. Nearly a decade ago the UK courts took the same approach as the French courts to a certain extent, reiterating that data subjects are entitled to data, not documents, and that any search for personal data only needs to be reasonable and proportionate³. However, both the courts and the ICO are clear that "an employer cannot refuse to provide the information just because it thinks the person wants it for litigation purposes. The purpose behind a request is not relevant in considering whether a request is valid.⁴" At most, a "collateral purpose" may be considered as one of multiple factors in justifying whether a request is manifestly unfounded or excessive. That remains a high threshold in the UK and, as in Brillen Rottler, requires clear evidence that a data subject is abusing their rights to further their position, whether in litigation or otherwise. 

However, in a corporate context where data subjects have voluntarily provided personal data while obtaining goods or services, this decision may re-shape how organisations respond to repetitive DSARs and mass claim strategies. In practice, controllers may wish to: 

• strengthen early DSAR assessment processes, including retaining communications with data subjects around the time of DSARs and considering any wider indicators of abusive intent or patterns. 
• maintain DSAR logs and evidence trails, including internal records of decisions and the rationale for any refusal (clearly articulating the abusive intention identified and ensure the reasoning is based on demonstrable evidence).
• Ensure DSAR governance aligns with broader GDPR compliance, including staff training and legal involvement in refusal decisions. 

A judgment that echoes the current Digital Omnibus Proposal

As a final point, it is worth noting that the ruling also aligns with the European Commission’s draft Digital Omnibus Regulation, which seeks to codify an ability to refuse abusive DSARs (for further information see our blog here). Recital 35 of the proposal states that abusive intent includes situations where a DSAR is designed to provoke refusal in order to trigger compensation and would allow controllers to meet a lower burden of proof (to a “reasonable level”), potentially easing the high threshold historically applied. 

Footnotes

1. Judgement of 12 January 2023, Osterreichische Post (Information regarding the recipients of personal data) C-154/21

2. Paris Court of Appeal (Dec 2025, No. 25/04270), Salesforce (Cour de cassation, Jan 2026), and TotalEnergies (Conseil d'État, Dec 2025).

3. Dawson-Damer v Taylor Wessing LLP (Court of Appeal, February 2017), 

Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd (Court of Appeal, March 2017)

4. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/when-can-we-consider-a-sar-to-be-manifestly-unfounded-or-excessive/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.