In its March 19, 2026, judgment in Case C-526/24 (Brillen Rottler), the CJEU ruled that even a first request for access to personal data under the GDPR may be deemed abusive if not made in good faith.
Key Takeaways
- A first-access request under Article 15 GDPR may be classified as “excessive” under Article 12(5). The controller bears a high burden of proof and must demonstrate that the data subject acted with abusive intent rather than a genuine interest in verifying the lawfulness of data processing.
- Publicly available information — such as media reports or blog posts documenting a data subject’s pattern of filing serial access requests followed by damages claims against multiple controllers — may be considered as a factor in the abuse assessment, though not as the sole basis.
- Article 82(1) GDPR confers a right to damages for violations of the access right under Article 15(1). The damages claim is not limited to harm arising from data processing operations — a refusal to act on a data subject request can itself trigger liability.
- Where the data subject deliberately transmits personal data to a controller in order to manufacture a damages claim, the resulting loss of control or uncertainty cannot ground compensation under Article 82(1) GDPR — the causal chain is interrupted by the data subject’s own conduct. This causation defense is tailored directly to the “GDPR hopping” scenario.
Background
On March 19, 2026, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C‑526/24 (Brillen Rottler), addressing a preliminary reference from the District Court Arnsberg (Germany). The case involves a phenomenon colloquially known as “GDPR hopping” — where individuals sign up for services (such as newsletters), promptly submit data access requests under Article 15 GDPR, and then claim non-material damages under Article 82(1) GDPR when the controller fails to comply or responds inadequately.
In this case, an Austrian individual subscribed to the newsletter of Brillen Rottler, a family-owned optician based in Arnsberg, Germany, providing personal data through the company’s online sign-up form. Thirteen days later, he submitted a data access request under Article 15 GDPR. Brillen Rottler refused to comply, contending that the request was abusive under Article 12(5) GDPR. The company pointed to extensive publicly available evidence — media reports, blog posts, and accounts from attorneys — suggesting that the individual followed a systematic pattern: subscribe to a newsletter, file an access request, then demand damages when the request is denied or improperly handled. The data subject countered that his access request was legitimate and filed a counterclaim seeking at least €1,000 in non-material damages under Article 82(1) GDPR. The scale of the alleged conduct is significant: In a parallel proceeding before the District Court Augsburg (Germany), 66 cases following the identical pattern were documented in the last year, resulting in aggregate damages claims of approximately €160,000.
The District Court Arnsberg referred eight questions to the CJEU for a preliminary ruling, which the court consolidated into three groups to address: (1) whether a first-access request can be “excessive,” (2) whether Article 82(1) GDPR covers damages from access right violations, and (3) whether loss of control or uncertainty alone constitutes compensable non-material damage.
The CJEU Judgment Unpacked
1. A First-Access Request Can Be “Excessive” Under Art. 12(5) GDPR
Article 12(5) GDPR permits controllers to charge a reasonable fee or refuse to act on access requests that are “manifestly unfounded or excessive, in particular because of their repetitive character.” The provision’s explicit reference to “repetitive character” has led some practitioners and courts to assume that a first request could never qualify as excessive. The CJEU has now rejected this interpretation.
The court’s reasoning proceeds on three levels. On the textual level, the CJEU holds that the word “excessive” carries both qualitative and quantitative connotations and that the reference to “repetitive character” is merely illustrative (“in particular”/“insbesondere”), not exhaustive. Systematically, the court links Article 12(5) GDPR to the general principle of EU law prohibiting abuse of rights — a principle already recognized in the CJEU’s earlier ruling in Österreichische Datenschutzbehörde (C‑416/23). Teleologically, the court emphasizes that the right to data protection is not absolute (Recital 4 GDPR) and must be balanced against other rights, including the controller’s freedom to conduct a business.
The CJEU imposes a two-pronged test for establishing abuse, derived from the general EU abuse-of-rights doctrine:
- Objective element: A totality of objective circumstances demonstrating that, despite formal compliance with the conditions for exercising the right of access, the purpose of the regulation has not been achieved. Relevant factors include whether the data subject voluntarily provided the personal data; the purpose of the data provision; the time elapsed between data provision and the access request; and the data subject’s overall conduct.
- Subjective element: The data subject’s intent to obtain an advantage under the GDPR by artificially creating the conditions for its application — specifically, where the access request is made not to become aware of data processing and to verify its lawfulness, but rather to manufacture a basis for claiming damages.
Importantly, the CJEU confirms that publicly available information — such as media reports, blog posts, and practitioner accounts documenting a data subject’s pattern of filing serial access requests followed by damages claims against other controllers — may be taken into account when assessing abusive intent. However, such information cannot serve as the sole basis for the finding; it must be corroborated by other relevant indicators.
The court emphasizes that Article 12(5) GDPR constitutes a narrow exception to the controller’s duty to facilitate data subject rights. The threshold for classifying a first-access request as excessive must be high, and the burden of proof rests squarely with the controller (Article 12(5) subpara. 2 GDPR).
2. 82(1) GDPR Covers Damages from Access Right Violations
The court’s second significant holding concerns the scope of Article 82(1) GDPR. Brillen Rottler had argued that damages under Article 82(1) GDPR require a violation linked to a data-processing operation, and that a mere refusal to respond to an access request did not involve “processing” within the meaning of Article 4(2) GDPR. This argument, if accepted, would have excluded access right violations from the GDPR’s damages regime entirely.
The CJEU rejected this reading. Article 82(1) GDPR provides a right to compensation for damage caused by “an infringement of this Regulation” — not merely by unlawful processing. The court offered two reasons:
- Systematic considerations: Article 82 is situated in Chapter VIII of the GDPR, which governs remedies, liability, and sanctions for the protection of all rights under the regulation — including the Chapter III rights (Articles 12‑22), such as the right of access. Many of these rights are violated precisely by inaction — i.e., a refusal to act on a data subject’s request — rather than by a positive act of data processing. Excluding such violations from the scope of Article 82 would undermine its practical effectiveness (effet utile).
- Teleological considerations: Article 82 is designed to ensure the realization of the GDPR’s objectives, including the strengthening of data subject rights (Recital 11). These rights would be weakened if damages were available only for unlawful acts involving data processing. The court notes that this interpretation is consistent with its prior holding that violations of Articles 26 and 30 GDPR — which do not constitute “unlawful processing” as such — may nonetheless give rise to damages (citing Bundesrepublik Deutschland, C‑60/22).
This holding resolves a question that had divided German courts and commentators. Controllers should note that an unjustified failure to respond to data subject requests under Chapter III GDPR now carries a clearly established risk of damages liability under Articles 82(1) GDPR, independent of any separate processing infringement.
3. Loss of Control and Uncertainty as Non-Material Damage — With Limits
Building on its prior case law (Agentsia po vpisvaniyata, C‑200/23; Gemeinde Ummendorf, C‑456/22), the CJEU confirms that loss of control over personal data and uncertainty about whether one’s data has been processed may constitute non-material damage under Articles 82(1) GDPR. The court reiterates that there is no de minimis threshold — even minor harm is compensable in principle.
However, the court imposes several constraints:
- Proof of actual harm: A GDPR violation does not automatically give rise to a damages claim. The data subject must demonstrate that harm has actually occurred. The mere assertion of a fear of data misuse is insufficient; any such fear must be shown to be well founded under the specific circumstances.
- No presumption of damage: The three conditions of Article 82(1) GDPR — a GDPR violation, actual damage, and a causal link between the two — remain cumulative. Damage cannot be presumed from the violation alone.
- Distinction from the violation itself: The data subject must show that the consequences suffered constitute a harm distinct from the mere violation of the GDPR itself.
4. Additional Insight: Causation Can Be Interrupted by the Data Subject’s Own Conduct
In an important passage for the “GDPR hopping” phenomenon, the court held that the causal link between a GDPR violation and the alleged damage can be broken by the data subject’s own conduct, where that conduct proves to be the decisive cause of the harm.
Specifically, where the loss of control or uncertainty about data processing was brought about by the data subject’s own decision to transmit personal data to the controller with the intent of artificially creating the conditions for a damages claim, no compensation is owed under Articles 82(1) GDPR. The court drew an analogy to its case law on the interruption of causation in other contexts (citing WS and Others/Frontex, C‑679/23 P).
Consequently, while the abuse defense under Article 12(5) GDPR allows the controller to refuse the access request outright, the interruption-of-causation doctrine provides a separate and independent defense at the damages stage: even if the controller cannot fully discharge its burden under Article 12(5), it may still defeat a damages claim by demonstrating that the data subject engineered the very situation from which the alleged harm flows.
Practical Implications
- For Data Controllers and Businesses: The judgment provides controllers with a potential new defense against serial, bad-faith access requests — for the first time at the CJEU level, even a first request can be refused as excessive. To invoke this defense, controllers should consider building the evidentiary record early (documenting timelines, publicly available reports on the claimant’s pattern, and parallel proceedings), and must raise the abuse objection within the one-month response period under Article 12(3)-(4) GDPR, clearly stating the reasons for refusal. The flip side of the ruling raises the stakes for legitimate requests; the CJEU has confirmed that an unjustified refusal to comply with an Article 15 access request may itself trigger damages liability under Article 82(1) GDPR, making robust and timely data subject request handling key.
- For Data Subjects and Claimants: Legitimate access requests remain protected — the court reaffirmed the right of access as a cornerstone of the GDPR’s transparency framework and confirmed that damages are available for its violation, not only for unlawful processing. However, data subjects whose primary objective is to manufacture damages claims rather than to genuinely exercise their data protection rights now face the risk of rejection on abuse grounds and, independently, of having the causal chain underlying any Article 82(1) claim found to have been interrupted by their own conduct.
