The European Court of Justice issued its judgment in Brillen Rottler GmbH & Co KG v TC (case C-526/24) last week (19 March 2026). This is an important judgment in relation to subject access requests and, in particular, when they can be deemed “excessive” pursuant to Article 12(5) of the GDPR.

Background

In March 2023, TC, who resides in Austria, subscribed to the newsletter of a family run opticians in Arnsberg, Germany (Brillen Rottler) by entering his personal data into a form on the company’s website for this purpose. Less than two weeks later, TC sent a subject access request to the company. The request was refused by the company, within the initial month allowed for a response, on the basis that it considered the request to be abusive in terms of Article 12(5) of the GDPR and called on TC to withdraw his request. TC pressed for a response to his subject access request and, in addition, now sought compensation in terms of Article 82 of the GDPR in the amount of €1,000. The company raised proceedings in the Local Court in Arnsberg seeking declarator that TC was not entitled to any compensation.

In support of its position, the company asserted that TC systematically and abusively makes requests for access to his personal data for the sole purpose of obtaining compensation for an alleged infringement, which he himself deliberately provokes. The company asserted that TC’s approach was to subscribe to a newsletter, then makes a subject access request and finally submit a claim for compensation.

Reference to the European Court of Justice

The Local Court in Arnsberg referred eight questions for a preliminary ruling under Article 267 of the TFEU. In essence, those questions sought a preliminary ruling on the following issues:

1. Whether it is possible that a first subject access request made to a controller by a data subject may be regarded as excessive within the meaning of Article 12(5) and, if so, in what circumstances.
2. Whether the right to compensation under Article 82 of the GDPR conferred a right to compensation resulting from an infringement of the right of access provided for in Article 15.
3. Whether Article 82(1) of the GDPR includes non-material damage suffered by the data subject for the loss of control over their personal data or their uncertainty as to whether the data have been processed.
4. Whether a subject access request from a data subject constitutes processing within the meaning of Article 4 of the GDPR.

Judgment of the European Court of Justice

The first issue: abusive subject access requests

The ECJ answered this in the affirmative holding that a first subject access request by a data subject can be regarded as excessive where the data subject has an abusive intention in making the request. The starting point for the ECJ was that, in the absence of a definition of what amounts to excessive in the GDPR, it was necessary in interpreting the concept “to consider not only the wording of article 12(5) of that regulation, by reference to its usual meaning in everyday language, but also the context in which that provision occurs and the objectives pursued by the rules of which it is part.” [24] This approach by the ECJ is entirely in line with the domestic approach to statutory interpretation and therefore the ECJ’s answer is likely going to be a very good indication as to the approach the domestic courts will take in  interpreting the equivalent provision in what is now the United Kingdom General Data Protection Regulation (“UK GDPR”).

The court went on to hold that the everyday meaning and usage of the word “excessive” did not rule out the possibility that a first request made to a controller by a data subject may be excessive. [25] The use of the words “repetitive character” in Article 12(5) was only by way of an example, there does not need to be a large number of requests to the controller from a data subject before a request may be deemed excessive. [26]

The court then went on to hold that this conclusion was supported by the context of the provision. Article 12(5) provides an exception to the obligation on controllers to facilitate the rights of data subjects (in this context, the right of access) in the face of a request which is manifestly unfounded or excessive. [29] The court went on to state that the interpretation of the concept of “excessive requests” in Article 57(4) could be transposed to the present case, under reference to the court’s judgment in Österreichische Datenschutzbehörde v FR. [30] Therefore, even in relation to a first request, a controller can rely upon the exception to their general obligation found in Article 12(5) where they establish that there has been an abusive intention on the part of the data subject. [31] In this context abusive refers to an abuse of rights rather than to the content of the request being abusive. The court goes on to state, at [34], in the context of the non-absolute nature of the right to protection of personal data and the need to balance it against other fundamental rights:

“Therefore, in order to ensure that that balance is achieved by means of that exception, and that it is effective, the relevant criterion for a finding of abusive conduct is the excessive character for the request for access, which is to be assessed qualitatively, in accordance with paragraph 26 of the present judgment, and which cannot depend solely on the number of requests for access made by the data subject and thus on whether it is the data subject’s first request.”

Turning to the specific circumstances in which a data subject’s first subject access request may be excessive within the meaning of Article 12(5), the court pointed to the aim of Article 15, as read with recital 63, “is to confer on a data subject the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals in order, inter alia, to be aware of the processing of those personal data and to verify the lawfulness of that processing, thereby enabling the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure or right to restriction of processing, and his or her right to object and right of action where he or she suffers damage.” [37]

The court state that, in relation to the subjective element, the controller will require to “establish, having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of the data subject.” [40] It continued that where the request has been made for a purpose other than that of being aware of the processing being undertaken and verifying the lawfulness of that processing, in order to enable the protection of the data subject’s other rights under the GDPR, may be a situation where a request might be excessive within the meaning of Article 12(5). [40] The court confirmed that, in the present case, public information about TC’s tactics could be taken into account in determining whether there had been an abusive intention to the request. [43]

Second issue: compensation resulting from an infringement of the right of access

The court also answered this issue in the affirmative. Article 82 refers to an infringement rather than to a right to compensation in relation to damage arising from the processing of personal data, therefore the right in Article 82 cannot be limited to the latter. [48]

This conclusion, the court states, is supported by a contextual analysis of Article 82 when read along with recitals 141 and 146. [49]-[50] Therefore, where there is an infringement of the GDPR that does not, in effect, involve the processing of personal data there still exists a right to compensation under Article 82, subject to the need to prove actual damage (material or non-material). [54]

Third issue: compensation for loss of control or uncertainty

The court confirmed that, subject to the data subject proving that they have actually suffered non-material damage, the right to compensation under Article 82 does encompass the loss of control over personal data or a data subject’s uncertainty as to whether their personal data has been processed. [67]

Fourth issue: whether a subject access request constitutes processing

In light of how it treated what I have termed in this post “the second issue” (being questions five and six of the referring court), the court considered that there was no need to answer this question in the context of this reference.

Application to the UK GDPR

Since the UK left the European Union, judgments of the European Court (in relation to EU law remaining part of the domestic law in the UK) which have been issued after 31 December 2020 are not binding on courts in the UK, but remain persuasive in terms of the European Union (Withdrawal) Act 2018.

This judgment is therefore likely to be highly persuasive to courts in the UK who are faced with questions concerning the meaning of Article 12(5) of the UK GDPR and also in relation to Article 82 of the UK GDPR. As indicated above, the approach adopted in relation to the interpretation of the GDPR as it relates to the first issue, is in all material respects in line with the modern domestic approach to statutory interpretation as set out in cases such as R (N3 and another) v Secretary of State for the Home Department; therefore, the domestic courts are likely to reach a the same conclusion even without reference to this judgment.

The judgment, especially when considered alongside the amendments made to data protection law by the Data (Use and Access) Act 2025, is likely to give controllers a great deal of latitude in refusing a request, particularly where they have evidence to suggest that a data subject is making a request for purposes other than a genuine attempt to establish the nature and extent of the processing of personal data concerning them and the lawfulness of any such processing. However, a controller who wrongly applies the exemption in Article 12(5) (and thus infringes the UK GDPR by not providing a substantive response) could, subject to the data subject proving material or non-material damage, open themselves up to a claim for compensation. It does not seem that this judgment conflicts with domestic case law, such as Dawson-Damer v Taylor Wessing LLP which concern “collateral” purposes rather than a purely abusive exercise of rights.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}