When is a Data Subject Access Request Abusive? The CJEU Draws the Line in Brillen Rottler

ByRob Bratby Posted on Data Protection
What is an abusive DSAR? CJEU Brillen Rottler - Bratby Law data protection regulation

On 19 March 2026, the Court of Justice of the European Union handed down its judgment in Case C-526/24 Brillen Rottler, ruling that even a first-ever data subject access request can be refused as “excessive” under Article 12(5) of the GDPR where the controller demonstrates it was made with abusive intent. The decision matters because it provides the first clear judicial framework for controllers facing a growing phenomenon: individuals who submit DSARs not to exercise their data protection rights, but to manufacture compensation claims under Article 82 of the GDPR.

Regulatory background

Article 15 of the GDPR gives data subjects the right to obtain confirmation from a controller as to whether their personal data is being processed and, if so, to access that data. Article 12(5) permits a controller to refuse to act on requests that are “manifestly unfounded or excessive, in particular because of their repetitive character”. The burden of demonstrating that a request falls within this exception rests on the controller.

Separately, Article 82 of the GDPR confers a right to compensation on any person who suffers material or non-material damage as a result of a GDPR infringement. In recent years, Article 82 has become a significant driver of private enforcement across Europe, with individuals combining access requests with claims for damages. The CJEU had already considered the boundaries of “excessive” requests in its January 2025 judgment in Österreichische Datenschutzbehörde (C-416/23), where it held that the sheer number of requests or complaints was not, by itself, sufficient to classify them as excessive. What was required, the Court said, was evidence of abusive intention.

The facts in Brillen Rottler tested that principle further. An Austrian individual subscribed to the newsletter of a family-run German opticians company. Thirteen days later, he submitted an Article 15 access request. When the company refused, citing publicly available evidence that the individual systematically subscribed to newsletters and then submitted DSARs followed by compensation claims, the individual maintained his request and claimed EUR 1,000 in non-material damages. The Arnsberg Local Court referred the matter to the CJEU for a preliminary ruling.

Analysis

The CJEU confirmed three propositions of direct practical relevance.

First, a first request can be “excessive”. The Court held that the reference to “repetitive character” in Article 12(5) is merely illustrative. What matters is whether the request was made with abusive intent, not whether the data subject has submitted multiple requests. This is consistent with the general EU law principle that rights conferred by EU legislation cannot be relied on for abusive or fraudulent ends.

Second, the Court set out a two-part test for abusive intention. The controller must demonstrate (a) that the purpose of Article 15, which is to enable the data subject to verify the lawfulness of processing, was not in fact achieved; and (b) that the data subject submitted the request with the intention of artificially creating the conditions for a compensation claim under Article 82. In assessing this, the Court identified four relevant circumstances: whether the data subject provided personal data voluntarily and without obligation, the apparent purpose of providing that data, the time that elapsed between providing the data and submitting the DSAR, and the data subject’s overall pattern of conduct. Publicly available evidence of a systematic pattern of DSARs followed by compensation claims may be taken into account, though not necessarily in isolation.

Third, the Court confirmed that a data subject’s own conduct can break the causal chain for an Article 82 claim. While compensation can in principle be awarded for infringement of the right of access (even where the infringement does not itself involve unlawful processing), the data subject must prove actual damage and a causal link to the infringement. Critically, the CJEU held that no compensation is owed where the data subject’s own conduct is the “determining cause” of the damage suffered.

Commercial and operational implications

For UK and EU controllers, this judgment has several practical consequences.

DSAR triage

Controllers should consider introducing an early-stage abuse-of-rights assessment within their DSAR response workflows. The Court’s four-factor test provides a checklist: was the data provided voluntarily? What was its apparent purpose? How quickly did the DSAR follow? Is there a documented pattern of similar behaviour? A refusal based on Article 12(5) remains a high threshold, and the burden of proof sits with the controller. But the judgment gives controllers clearer ground to stand on when faced with requests that appear designed to provoke a refusal and generate a claim.

Documentation

Controllers who suspect abusive DSARs should document their reasoning contemporaneously. The Court made clear that publicly available information about a data subject’s track record of serial DSARs may be relevant evidence, but it must be supported by other factors pointing to abusive intent. A bare assertion that the requestor “looks like a serial claimant” will not be sufficient.

UK position: persuasive, not binding, but filling a gap

Brillen Rottler is a post-Brexit CJEU judgment and is not binding on UK courts. Under the European Union (Withdrawal) Act 2018, decisions of the CJEU after 31 December 2020 have no binding force in the UK, though courts may “have regard” to them. The Retained EU Law (Revocation and Reform) Act 2023 broadened the scope for UK courts to depart from pre-Brexit CJEU case law, and removed the requirement to interpret retained EU law in accordance with EU general principles, including the EU Charter of Fundamental Rights. In theory, this widens the gap between UK and EU approaches to data protection rights.

In practice, however, the UK case law on abusive DSARs remains thin. The leading domestic authority is the Court of Appeal’s combined judgment in Ittihadieh v 5-11 Cheyne Gardens and Deer v University of Oxford [2017] EWCA Civ 121, decided under the Data Protection Act 1998. The Court held that a collateral purpose, such as gathering material for litigation, does not invalidate a DSAR. But Lewison LJ identified a list of factors the court may weigh when exercising its discretion to order compliance, including whether the request amounts to an abuse of rights, for example where litigation is pursued merely to impose a burden on the controller. The earlier decision in Dawson-Damer v Taylor Wessing [2017] EWCA Civ 74 reached a similar conclusion: the reason for a DSAR is not normally a ground for refusal, but the court retains discretion. In Lees v Lloyds Bank, the High Court dismissed claims arising from repetitive DSARs that were found to be abusive and collateral to unrelated litigation, giving weight to the fact that the real purpose was to obtain documents rather than to exercise data protection rights.

More recently, in Ashley v HMRC [2025] EWHC 134 (KB), the High Court found that HMRC had failed to conduct adequate searches in response to a DSAR, but the judgment focused on the scope of the controller’s search obligation, not the abuse-of-rights question. None of these cases directly addresses the specific pattern at issue in Brillen Rottler: a data subject who deliberately creates a processing relationship for the sole purpose of generating a compensation claim.

The UK GDPR contains an identically worded Article 12(5), and the ICO’s guidance on subject access recognises the “manifestly unfounded or excessive” exception. Given the gap in domestic authority, UK courts and the ICO are likely to treat Brillen Rottler as persuasive when faced with allegations of manufactured or abusive DSARs. The judgment’s two-part test for abusive intent is a structured framework that fills a space the UK courts have acknowledged but not yet addressed head-on.

The Data (Use and Access) Act 2025, which received Royal Assent in June 2025, complements this position. The DUA Act codified the requirement for controllers to conduct only “reasonable and proportionate” searches in response to DSARs, introduced a statutory “stop the clock” mechanism, and established a new court procedure for DSAR disputes. It does not directly address the abuse-of-rights question. But read alongside Brillen Rottler, the picture for UK controllers is materially clearer than it was twelve months ago: statutory backing to limit the scope of the search, and now a structured CJEU framework (even if only persuasive) for refusing requests made with abusive intent.

Broader context

The judgment also arrives during the EU legislative process for the Commission’s Digital Omnibus Proposal, which would amend the GDPR to add an express ground for refusing DSARs that abuse GDPR rights for purposes other than data protection. The EDPB and EDPS, in their Joint Opinion on the Proposal, recommended linking the test to abusive intention, an approach that aligns closely with the Brillen Rottler framework.

Viewpoint

This is a welcome clarification, and a pragmatic one. The right of access is a core transparency mechanism, not a revenue-generating tool. The CJEU has maintained the high threshold for refusal, which is right. But it has also recognised that controllers should not be forced into a lose-lose position where complying costs time and resource, and refusing exposes them to a compensation claim that the requestor engineered from the outset. The causation point is particularly useful: where the data subject deliberately provoked the infringement, the Court holds that the causal link to the claimed damage may be broken.

For UK controllers, the practical position is now more favourable than it has been at any point since the GDPR came into force. The DUA Act 2025 gives statutory backing to proportionate searches. Ittihadieh and Dawson-Damer confirm that the court retains discretion to refuse to order compliance where abuse is demonstrated. And Brillen Rottler, though not binding, provides the structured two-part test that the domestic authorities have so far lacked. UK courts have acknowledged the concept of abusive DSARs but have not yet articulated a clear framework for identifying them. Brillen Rottler fills that gap. Whether UK courts will adopt the CJEU’s test wholesale, adapt it, or develop their own formulation remains to be seen. But the direction of travel, in both London and Luxembourg, is the same: the right of access is not a right to manufacture claims.

For data protection practitioners advising controllers, the practical takeaway is clear. Review your DSAR workflows. Build in an early assessment of intent. Document your reasoning. And if you do refuse, make sure you can point to the four-factor test and explain how each element is satisfied.

Links

If you are reviewing your DSAR response procedures in light of Brillen Rottler, or need advice on handling a specific access request, contact Rob Bratby at Bratby Law.

Similar Posts