Written by: Haim Ravia, Dotan Hammer
On March 19, 2026, the Court of Justice of the European Union issued its judgment in *Brillen Rottler GmbH & Co. KG v. TC* (Case C-526/24), addressing whether a controller may refuse even a first request for access as “excessive” under Article 12(5) of the GDPR, and whether a data subject can claim compensation under Article 82(1) for infringement of the right of access.
In March 2023, TC, an Austrian individual, subscribed to the newsletter of Brillen Rottler, a family-run optician in Germany, and thirteen days later submitted a request for access to his personal data under Article 15. Brillen Rottler refused, considering the request abusive. The company submitted publicly available evidence—including reports and blog articles—that TC systematically subscribed to newsletters, submitted access requests, and then claimed compensation from various controllers following a consistent pattern.
On the abuse question, the Court ruled that a first request for access may be regarded as “excessive” under Article 12(5). While the provision cites repetitive character as an example of excessive conduct, the Court held this is referenced only “by way of example”—a single request can qualify. However, this exception must be interpreted restrictively: a controller may refuse only where it demonstrates, in light of all relevant circumstances, that the request was made not for the purpose of verifying the lawfulness of processing, but with an abusive intention, such as artificially creating the conditions for obtaining compensation.
Proof requires both an objective element (the purpose of the rules has not been achieved despite formal compliance) and a subjective element (intent to obtain an advantage by artificial means). Relevant circumstances include whether the data subject provided data without being obliged to do so, the aim of providing the data, the time elapsed before the access request, and the data subject’s conduct. Publicly available information showing systematic requests followed by compensation claims to various controllers may be considered, provided it is supported by other relevant material. The burden of proof lies with the controller.
Regarding compensation, the Court ruled that Article 82(1) confers a right to compensation for damage resulting from an infringement of the right of access—even where the infringement does not involve actual data processing. The Court reasoned that where a controller infringes Chapter III rights, the infringement typically results from a refusal to act on the data subject’s request rather than from processing as such. Requiring damage to result from processing would exclude such situations and undermine the provision’s effectiveness.
On non-material damage, the Court confirmed that the loss of control over personal data or uncertainty about whether data have been processed can constitute compensable damage, but it also set important limits. The data subject must demonstrate actual damage distinct from the mere infringement itself, and the data subject’s own conduct must not be the determining cause. Where a data subject submitted personal data to a controller with the aim of artificially creating the conditions for a compensation claim, the causal link is broken; the data subject cannot recover for loss of control or uncertainty caused by their own deliberate conduct.
Click here to read the CJEU’s judgment in *Brillen Rottler GmbH & Co. KG v. TC* (Case C-526/24).
