Share

Brillen Rottler – A review of the DSAR Mechanism

On 19 March 2026, the Court of Justice of the European Union (CJEU) delivered its judgment in Brillen Rottler GmbH & Co KG v TC (Case C-526/24) addressing key issues surrounding data subject access requests (DSAR) and abusive practices. This decision has been anticipated as a potential opportunity to provide further guidance on balancing the right of access under Article 15 GDPR with controllers’ competing rights.

09/06/2026

Briefing

Circumstances giving rise to the DSAR

TC, an Austrian resident, subscribed to the newsletter of a German optician, Brillen Rottler, which required entering his personal data into the registration form. Thirteen days later, he made a DSAR which Brillen Rottler rejected. The optician considered the request to be abusive and called on TC to withdraw his request. TC refused to withdraw and sought compensation of €1,000 for non-material damages pursuant to Article 82 GDPR.

Brillen Rottler submitted a claim to the referring Court that TC is not entitled to compensation, arguing that it had become apparent through online reports that TC was intentionally seeking out GDPR infringements by subscribing to newsletters of businesses, subsequently submitting a DSAR and then seeking compensation following a refusal.

The referring Court submitted eight questions to the CJEU that are summarised below:

Can a data subject’s first access request be characterised as excessive within the meaning of Article 12 GDPR, including by reference to the data subject’s intentions and/or publicly available information?
Does Article 82 GDPR confer on data subjects a right to compensation for damage resulting from an infringement of the right of access in Article 15 GDPR?
Can Article 82 GDPR be interpreted as meaning that non-material damage encompasses the loss of control over, or uncertainty concerning the processing of personal data?

Meaning of “excessive”

The Court analysed Article 12 GDPR and considered whether a DSAR can be excessive, even if it is the first time the request is received from the data subject. The Court examined the meaning of “excessive” as outlined in EU jurisprudence, noting that consideration should be given to its everyday meaning in addition to the context in which the provision occurs. The Court reasoned that “‘excessive’ denotes something which exceeds the ordinary or reasonable amount” and its use does not rule out the possibility that a first request may be excessive. The Court held that a controller may make use of the option to refuse an access request, even in the case of a first request where it, having examined the facts, considers that the data subject has an abusive intention.

In considering abusive practices, the Court stressed that “EU law cannot be relied on for abusive or fraudulent ends” and noted that consideration needs to be given to; (i) objective circumstances in which the purposes of EU law have not been achieved; and (ii) the intention of the data subject to obtain an advantage from EU law by artificially creating the conditions to achieve that advantage. In the present case, the Court found that TC’s actions could be taken into consideration for establishing abusive intention.

Opinion of Advocate General Szpunar

The Court largely followed the Advocate General’s Opinion in this case, delivered on 18 September 2025, however the CJEU’s language is less restrictive in tone. In our previous briefing, A summary of 2025’s key CJEU data protection judgments, we noted that in respect of an initial access request, the Advocate General considered that controllers should only consider such requests to be excessive “in exceptional circumstances”, with strict criteria applied for such a finding. Similarly, in respect of the intentions of data subjects, the Advocate General strongly emphasised that publicly available information “is not sufficient, in itself and without further evidence, to demonstrate an abusive intention”. In contrast, the Court, although arriving at the same conclusion and citing the Advocate General’s Opinion, held that public information could be taken into consideration, if supported by other relevant material.

Compensation

The Court turned to consider whether data subjects have a right to compensation for damage resulting from an infringement of the right of access in Article 15 GDPR. The Court noted that the right to compensation cannot be limited to damage resulting from the processing of personal data as the provision contains no reference to “processing”.

The referring Court also asked whether Article 82 GDPR can be interpreted as meaning that non-material damage encompasses the loss of control over, or uncertainty concerning the processing of personal data. The Court observed that there needs to be a causal link between damage suffered and infringement complained of for a right of compensation to arise. The Court held that the mere allegation by the data subject of fear caused by a loss of control over, or uncertainty concerning a data subject’s personal data does not give rise to compensation. The Court also noted that the causal link may be broken by the conduct of the data subject where that conduct proves to be the determining cause of the damage.

Impact

The judgment offers more clarity to controllers on the circumstances in which they can validly refuse to act upon a DSAR. It establishes that controllers can reject DSARs as being excessive, even if it is a first in time request, where there is an intention to abuse EU law to extract compensation. The judgment does not reduce the burden of proof on controllers, as the Court affirmed that they are still required to prove that a request is excessive. Additionally, controllers must continue to undertake a case-by-case assessment of each request and consider whether on the facts, the data subject has an abusive intention. The Court’s judgment does not allow controllers to apply a blanket refusal of any DSARs which they consider abusive, any refusal of a DSAR requires clear, documented and contextual evidence.

While the facts of the Brillen Rottler case demonstrate such an intention on the part of TC due to substantial publicly available information, it is unlikely that other DSARs will have as clear evidence of an abusive intention.

The decision is timely in the context of the Digital Omnibus Proposal for a Regulation as regards the simplification of the digital legislative framework (2025/0360(COD)) (Proposal) announced by the European Commission in November 2025. Recital 35 of the Proposal provides that the right of access should not be abused by data subjects for purposes other than the protection of their data, illustrating this with an example similar to the facts of the present case. The amendment to Article 12(5) GDPR would allow controllers to charge a reasonable fee or refuse to act on a DSAR where they can establish reasonable grounds for believing that the data subject is abusing their rights for purposes other than the protection of their data. This would potentially reduce the burden of proof for excessive data requests, but it is in contrast to the present CJEU decision.

In their Joint Opinion on the Proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus) dated 10 February 2026, the EDPB and EDPS suggest that the reduction to the burden of proof should be reconsidered, and the current threshold maintained. The Joint Opinion also suggests that controllers should be required to demonstrate an abusive intention when considering if a DSAR is abusive. Considering the significance of the Brillen Rottler decision, it remains to be seen what position the final Digital Omnibus Regulation will take in respect of DSAR requests.

If you would like to discuss any of the matters covered in this briefing in more detail, please get in touch with any member of our Technology and Innovation Group.

The authors would like to thank Anna O’Doherty for her contribution to this article.

Save As PDF