On March 19, 2026, the CJEU issued its judgment in the Brillen Rottler case (C‑526/24).  The case concerns the GDPR right of access and the conditions for claiming damages.  In the underlying facts, an Austrian individual subscribed to Brillen Rottler’s newsletter and, two weeks later, exercised his right of access.  The shopkeeper rejected the request as abusive, prompting the individual to seek damages.  Brillen Rottler argued before the court that the individual was known for similar actions and that his access request merely aimed to obtain damages, rendering it abusive.

The CJEU decided as follows:

First, a first access request may be deemed excessive under Article 12(5) GDPR. Excessiveness can arise not only from the quantity of requests but also from the qualitative nature of a single request. The Court stressed, however, that excessiveness must be interpreted restrictively and that the threshold is high. The controller also bears the burden of demonstrating that the access request is excessive.

Second, whether an access request is excessive may depend on both objective and subjective circumstances.  The fact that the objective conditions of Art. 15 GDPR are met (i.e., personal data is processed and the right of access formally applies) does not exclude the possibility that the request is excessive.  Excessiveness may stem from subjective circumstances—for example, when the right is exercised for purposes other than learning about the processing and ensuring the protection of GDPR rights.  Elements such as whether the data was freely provided, the purpose of the data sharing, the time elapsed between the data provision and the access request, and the behavior of the data subject may be relevant.  Publicly available evidence that the data subject systematically files access requests with multiple controllers to obtain damages is a behavior that may be taken into account.

Third, the Court held that the Art. 82 GDPR right to compensation also applies to violations of the right of access. In other words, data subjects may be awarded damages (provided the conditions for compensation are met) where a controller fails to comply with an access request.

Finally, the general standard for GDPR damages (violation of the law, demonstrated damage, and causality) is not met where the link between causality and the damage incurred is broken due to the data subject’s own behavior—namely, where that behavior is the true cause of the alleged damage.  In the case at hand, causality would be broken where the damage is caused by the data subject’s deliberate act of providing personal data to a controller solely to artificially trigger the right of access.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less