No Shortcut to Compensation: CJEU Rules on Abusive Data Access Requests

The Court of Justice ruled that a first-time data access request under GDPR Article 15 can be refused as “excessive” if it is made solely to fabricate a basis for compensation. In Brillen Rottler, an individual subscribed to a newsletter and requested access 13 days later. The Court found that where a controller can demonstrate an abusive intention evidenced by a pattern of repeated access requests followed by compensation claims the request may be denied.

‍

Facts

The controller argued the request was abusive, citing reports showing the individual systematically subscribed to newsletters solely to submit access requests followed by compensation claims. The national court asked whether a first request could be deemed excessive and whether compensation was due.

Key Takeaways

• Abusive Intention: A request is abusive if it aims to artificially create conditions for claiming damages rather than to verify processing lawfulness.

• Pattern of Conduct: A history of multiple access requests and subsequent claims supports a finding of abuse.

• Compensation: Claimants must prove actual damage; compensation is barred if the claimant’s own conduct is the determining cause of the harm.

‍

Read More - https://curia.europa.eu/site/upload/docs/application/pdf/2026-03/cp260038en.pdf

‍