Right of access to personal data: the CJEU clarifies the balance between the effectiveness of rights and the prevention of abuse

CJEU, 19 March 2026, C-526/24, Brillen Rottler

By a judgment of 19 March 2026, the Court of Justice of the European Union provides several important clarifications regarding the regime of the right of access under the GDPR, as well as its interaction with the liability mechanism set out in Article 82.

The Court was notably asked to rule on the potentially abusive nature of an initial access request, as well as on the conditions for compensation in the event of a breach of this right. The judgment is noteworthy for two main reasons. First, it accepts—under strictly defined conditions—that an initial access request may be classified as “excessive.” Second, it confirms that a breach of the right of access may, in itself, give rise to a right to compensation, independently of the existence of a separate unlawful processing operation.

The facts of the case

An individual residing in Austria subscribed to the newsletter of a German optical company by providing certain personal data. Thirteen days later, he exercised his right of access under Article 15 of the GDPR.

The company refused to comply with the request, arguing that it was “excessive.” It maintained in particular that the individual was publicly known for multiplying such requests to various controllers, with the aim—where responses were lacking or deemed insufficient—of subsequently seeking compensation on the basis of Article 82 of the GDPR.

A nuanced assessment of the “excessive” nature of access requests

The main contribution of the decision lies in the interpretation of Article 12(5) of the GDPR, which allows the controller to refuse to act on a request that is “manifestly unfounded or excessive.”

  1. An initial request for access may, in principle, be excessive

The Court rejects from the outset the idea that excessiveness is necessarily linked to the repetition of requests. While repetition may constitute an indicator, it cannot be elevated to a condition. Accordingly, a first request may, in theory, be classified as excessive.

However, the Court immediately limits this possibility. It recalls that Article 12(5) constitutes an exception to the obligation to facilitate the exercise of data subjects’ rights, and must therefore be interpreted strictly. In other words, although the possibility of an excessive initial request is accepted, it should, in practice, be confined to very specific situations.

  1. The Requirement of a Clear Abuse of Rights

According to the Court, the classification of a request as excessive is based on the classic EU law concept of abuse of rights. Two elements must be established:

  • An objective element, relating to the misuse of the purpose of the right of access, which aims to enable the data subject to know how their data is being processed and to verify the lawfulness of such processing.

  • A subjective element, characterized by the intent to obtain an advantage by artificially creating the conditions for its attainment.

In practice, the controller must demonstrate that the request was not made in order to genuinely exercise the right of access—particularly to obtain information about the processing—but rather for a different purpose, namely to provoke a violation and subsequently ground a claim for damages.

The Court emphasizes the required standard of proof: such a demonstration must be made “in the light of all relevant circumstances” and in an unequivocal manner. The judgment provides several indicators that may be taken into account:

  • The conditions under which the data was provided.
  • The time elapsed between the provision of the data and the request for access.
  • The overall conduct of the data subject.

The Court also accepts that publicly available information relating to similar requests (e.g. evidence of a possible “modus operandi” vis-à-vis other controllers) may be taken into account, provided that it is corroborated by other elements.

This approach confirms that the analysis must remain concrete and contextual, and cannot be based on general or abstract considerations.

Recognition of an autonomous right to compensation for breach of the right of access

The second key contribution of the judgment concerns the interpretation of Article 82 of the GDPR.

The Court holds that the right to compensation is not limited to damage resulting from the processing of personal data. It notes that Article 82 refers to any damage suffered “as a result of an infringement” of the GDPR, without restricting its scope to cases of unlawful processing.

Consequently, a breach of the right of access—such as an unjustified refusal to provide information—may, in itself, give rise to compensation. This solution is consistent with the overall structure of the Regulation. The rights set out in Chapter III (including the right of access) are an integral part of the protection of data subjects and must therefore benefit from an effective remedy.

This leads, at least potentially, to an increase in compensation claims based on data subjects’ rights.

Further Clarifications on Non-Economic Damages and Causation

In line with its previous case law, the Court confirms that non-pecuniary damage may include:

  • the loss of control over one’s data;
  • uncertainty regarding the existence of processing.

However, these elements cannot be presumed; they must be concretely demonstrated by the data subject.

Most importantly, the Court introduces an important nuance regarding causation. The causal link may be broken where the conduct of the data subject constitutes the determining cause of the alleged damage, in particular where the individual has themselves artificially created the conditions of the infringement.

This point is consistent with the analysis of abuse of rights developed under Article 12(5).

* * *

In practice, the right of access is now widely used, particularly in pre-litigation and litigation contexts in employment law. Former employees and their legal advisers increasingly submit systematic access requests, often very broad in scope, whose objective frequently goes beyond merely verifying the lawfulness of processing. These requests are often part of broader litigation strategies, aimed both at exerting pressure in ongoing negotiations and at obtaining evidence useful for legal proceedings—where previously, recourse to investigative measures under Article 145 of the French Code of Civil Procedure was often the only available tool.

However, the judgment should not be interpreted as granting employers carte blanche to systematically classify such requests as “excessive.” In light of the strict criteria set out by the CJEU and the very specific circumstances of the case—where the access request appeared primarily aimed at obtaining compensation—such a classification is likely to remain exceptional.