[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fexFVbFakTPVomPQC-tRB-iambi7Y74Fbqkkda6Utyq8":3},{"article":4,"iocs":41},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"031175b3-b8ff-4874-90e7-e76e26ee1f5e","AG Arnsberg - 42 C 434\u002F23","ag-arnsberg-42-c-434-23-0551e3","Created page with \"{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=AG Arnsberg |Court_Original_Name=Amtsgericht Arnsberg |Court_English_Name=Local Court Arnsberg |Court_With_Country=AG Arnsberg (Germany) |Case_Number_Name=42 C 434\u002F23 |ECLI= |Original_Source_Name_1=TRÖBER legal |Original_Source_Link_1=https:\u002F\u002Fwww.troeber.de\u002Fsite\u002Fassets\u002Ffiles\u002F3873\u002Furteil_ag_arnsberg_vom_01_07_2026-geschwarzt.pdf |Original_Source_Language_1=German |...\" New page {{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=AG Arnsberg |Court_Original_Name=Amtsgericht Arnsberg |Court_English_Name=Local Court Arnsberg |Court_With_Country=AG Arnsberg (Germany) |Case_Number_Name=42 C 434\u002F23 |ECLI= |Original_Source_Name_1=TRÖBER legal |Original_Source_Link_1=https:\u002F\u002Fwww.troeber.de\u002Fsite\u002Fassets\u002Ffiles\u002F3873\u002Furteil_ag_arnsberg_vom_01_07_2026-geschwarzt.pdf |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Date_Decided=01.07.2026 |Date_Published=01.07.2026 |Year=2026 |GDPR_Article_1=Article 12(5)(b) GDPR |GDPR_Article_Link_1=Article 12 GDPR#5b |GDPR_Article_2=Article 15 GDPR |GDPR_Article_Link_2=Article 15 GDPR |GDPR_Article_3=Article 82 GDPR |GDPR_Article_Link_3=Article 82 GDPR |GDPR_Article_4= |GDPR_Article_Link_4= |GDPR_Article_5= |GDPR_Article_Link_5= |EU_Law_Name_1= |EU_Law_Link_1= |EU_Law_Name_2= |EU_Law_Link_2= |National_Law_Name_1= |National_Law_Link_1= |National_Law_Name_2= |National_Law_Link_2= |Party_Name_1=Brillen Rottler GmbH & Co. KG |Party_Link_1= |Party_Name_2= |Party_Link_2= |Party_Name_3= |Party_Link_3= |Appeal_From_Body= |Appeal_From_Case_Number_Name= |Appeal_From_Status= |Appeal_From_Link= |Appeal_To_Body= |Appeal_To_Case_Number_Name= |Appeal_To_Status=Unknown |Appeal_To_Link= |Initial_Contributor=av | }} A court held that a controller may reject a first access request as excessive under [[Article 12 GDPR#5b|Article 12(5)(b) GDPR]] if the data subject requests access with the abusive intent to artificially create a claim for damages against the controller. == English Summary == === Facts === An Austrian citizen residing in Vienna (the data subject) subscribed to the newsletter of a family-run optician company (the controller) mainly operating in the German states of North Rhine-Westphalia and Lower Saxony in March 2023. During the registration process, he provided his email address as well as his first and last name and consented to the processing of his personal data. He then made an access request under [[Article 15 GDPR|Article 15 GDPR]] by fax, using letterhead that included his full home address, email address, and fax number. The controller refused to provide the requested information in April 2023 as it considered the request to constitute abuse of rights. It cited newspaper reports indicating that the defendant had subscribed to numerous newsletters solely for the purpose of asserting claims for damages. The controller brought proceedings concerning the legality of its rejection of the access request. The data subject demanded access to the information required by in [[Article 15 GDPR|Article 15 GDPR]] and the payment of monetary compensation of €1,000 in a counter-lawsuit. The court referred the case to the CJEU for a preliminary ruling in July 2024. The CJEU rendered its judgment in the case C-526\u002F24 Brillen Rottler on 19 March 2026. It held that even an initial access request could be rejected on the grounds of an abuse of rights. According to the CJEU, the assessment of abusive conduct is based on all circumstances of the individual case. Both objective circumstances and the subjective intent of the data subject need to be taken into account. An abusive intent always exists if the access request is made in order to artificially create a claim for damages. === Holding === The court held that the lawsuit had originally been well-founded and ruled that the counterclaims were without merit. According to the court, the controller could reject the data subject’s access request as excessive under [[Article 12 GDPR#5b|Article 12(5)(b) GDPR]]. The data subject also had no right to damages under [[Article 82 GDPR|Article 82 GDPR]] due to the absence of a GDPR violation. The court referred to the preliminary ruling in the case C-526\u002F24 and based its decision on an overall assessment of the objective and subjective circumstances of the present case as required by the CJEU decision. It held that the data subject’s conduct had been abusive. To the conviction of the court, there were numerous indications of abusive conduct: first, the data subject had voluntarily disclosed more personal data than was needed to subscribe to the newsletter. Second, the court could not identify any personal interest in a regional newsletter concerning operations in Nordrhein-Westfalen, as the data subject was an Austrian resident. In addition, the court took into account that the data subject had made the access request only nine days after subscribing to the newsletter and had not filed a complaint with the competent DPA before raising a claim for damages. Finally, information on the internet about numerous cease-and-desist letters sent by the data subject pointed to abusive conduct. == Comment == ''Share your comments here!'' == Further Resources == ''Share blogs or news articles here!'' == English Machine Translation of the Decision == The decision below is a machine translation of the German original. Please refer to the German original for more details. 42 C 434\u002F23 Arnsberg Local Court IN THE NAME OF THE PEOPLE Judgment In the legal dispute between GmbH & Co. KG, represented by its general partner, Verwaltungsgesellschaft mbH, which is represented by its managing directors, and Arnsberg, Plaintiff and Defendant in Counterclaim, Attorneys: Tröber, Am Mittelhafen 10, 48155 Münster, against Mr. , , Austria, Defendant and Counterclaimant, Attorneys: Arnsberg Local Court, in written proceedings with a deadline for filing written submissions until June 1, 2026, by Judge rule as follows: 2 The counterclaim is dismissed. The defendant shall bear the costs of the proceedings and the preliminary ruling procedure (Case No. C-526\u002F24). The defendant shall bear the costs of the proceedings and the preliminary ruling procedure. The judgment is provisionally enforceable upon provision of security in the amount of 110% of the respective amount to be enforced. Facts: The parties are in dispute, in the context of the claim, which has been declared settled by mutual agreement, regarding the legality of the plaintiff's refusal to provide data access under the GDPR, and in the context of the counterclaim, regarding the plaintiff's obligation to provide information under the GDPR and to pay monetary compensation. While the defendant is an Austrian citizen residing in Vienna, the plaintiff is a family-run optician's company that focuses its business on the German states of North Rhine-Westphalia and Lower Saxony. It also offers online retail services that ship within Germany. The plaintiff offers the option to subscribe to a newsletter on its website, which provides information about special offers and discounts at its branches located in North Rhine-Westphalia. When subscribing to the newsletter, the interested party must proactively provide their data, whereby only the email address is required for successful registration. The interested party must consent to the processing of their data, and they are directed to the plaintiff's privacy policy via an anchor link. When subscribing to the newsletter, the interested party must proactively provide their data, whereby only the provision of an email address is required for successful registration. On March 13, 2023, the defendant subscribed to the plaintiff's newsletter, providing his email address @ “ and also his first and last name. On March 29, 2023, the defendant sent a request for information pursuant to Article 15 GDPR by fax, using letterhead containing his full residential address, email address, and fax number. On April 26, 2023, the plaintiff refused to provide the information, arguing that the request was an abuse of rights. The plaintiff cited media reports that the defendant subscribed to numerous newsletters solely for the purpose of pursuing claims for damages. Furthermore, the plaintiff informed the defendant that he could lodge a legal remedy with the supervisory authority of the State of North Rhine-Westphalia and with the court responsible for Arnsberg. By letter dated On June 29, 2023, the defendant's legal representative rejected the accusation of abuse of rights and demanded compensation in the amount of €1,000.00 due to a restriction of the defendant's rights, his loss of control, and his experience of emotional distress, as well as compensation for material damages resulting from the extrajudicial activities of his legal representative, based on a value in dispute of €6,000.00. The plaintiff maintains that the rejection of the defendant's request was permissible due to his abusive intent. The registration for the newsletter was solely for the purpose of later claiming damages. The numerous blog posts on the internet demonstrate that the defendant developed a three-step business model (newsletter registration, request for Article 15 GDPR, and claiming damages). In addition to this publicly available information from the internet, the specific procedure suggests that it was not a permissible enforcement of rights, because the defendant as a person living abroad, had registered for a newsletter with information about the plaintiff's branch operations in North Rhine-Westphalia and submitted his request for information just two weeks later. The plaintiff originally sought a declaratory judgment that the defendant had no claim against the plaintiff for payment of compensation in the amount of EUR 1,000.00 for refusing the data protection information request submitted by the defendant on March 29, 2023, as requested in the letter of June 29, 2023. 4 After the defendant filed a counterclaim, among other things for payment of damages in the amount of EUR 1,000.00, the parties mutually agreed to settle the legal dispute with regard to the claim. With regard to the claim, the parties have submitted reciprocal motions for costs. Counterclaim The defendant requests that the plaintiff be ordered to: 1. provide the defendant with a copy of all personal data that the plaintiff processes concerning the defendant. 2. provide the defendant with information about the purposes for which the plaintiff processes the defendant's personal data. 3. provide the defendant with information about the recipients of his data to whom the plaintiff has transmitted the defendant's personal data. 4. provide the defendant with information as to whether the plaintiff has carried out automated decision-making or profiling concerning the defendant's personal data. 5. pay the defendant monetary compensation for non-pecuniary damages, the amount of which is to be determined at the court's discretion, but should not be less than EUR 1,000.00. The plaintiff requests that the counterclaim be dismissed. The defendant claims that he regularly resides in Germany, particularly in Munich and in Düsseldorf and therefore have an interest in the plaintiff's business. He has suffered non-material damage due to the loss of control over his data. He has been deprived of the right, as a natural person, to be able to verify that his data is being processed correctly and lawfully. The entries about him on the internet are unverified information and aggressive advertising measures by lawyers. He has suffered damage because his other rights to rectification, erasure, restriction of processing, data portability, and objection under Article 16 GDPR have been restricted. Furthermore, the non-material damage is based on emotional distress, as the defendant, being a data protection-sensitive person, values it that all institutions associated with him comply with data protection regulations. The refused information has triggered worries and anxieties in him regarding the fate of his data. He feels considerable The defendant was annoyed because the refusal made transparency regarding data usage more difficult. The court referred the present proceedings to the European Court of Justice for a preliminary ruling by order of July 31, 2024. Reference is made to the judgment there (Judgment of March 19, 2026, Case C-526\u002F24). Furthermore, reference is made to the case file and the parties' written submissions. Reasons for the decision: The action was originally admissible and well-founded; the counterclaim is unfounded. The plaintiff was justified in refusing the defendant's request for information. I. The defendant has no right to receive a copy of the personal data processed by the plaintiff or to be provided with the requested information about the use of his data provided, pursuant to Article 15(1) and (3) of the GDPR. This is because the plaintiff was, according to the GDPR, Article 12(5)(b) GDPR justifies rejecting the request of the defendant as excessive. According to the judgment of the European Court of Justice of 20 March 2026 in the preliminary ruling procedure C-526\u002F24, even an initial request to a person obliged to provide information can be excessive and rejected on the grounds of abuse of rights. The applicant has sufficiently demonstrated that this intent to abuse the system existed on the part of the defendant. Based on the judgment of the European Court of Justice of 20 March 2026, Case C-526\u002F24, the prerequisites for proving abusive conduct are: firstly, the totality of the objective circumstances which, despite formal compliance with the conditions, fail to achieve the objective of the regulation, and secondly, from a subjective perspective, the intent to gain an advantage from the EU regulation by artificially creating the conditions for obtaining the information. This is always the case when the person submits the request for a purpose other than to become aware of the data processing and to verify its lawfulness in order to subsequently protect rights under the GDPR, i.e., when a claim for damages is artificially created. All circumstances of the individual case are decisive for this assessment. In particular, it can be taken into account whether a data subject provided their data voluntarily, or what purpose the provision of the data served, the time elapsed between the provision of the data and the access request, and the data subject's other conduct. In this context, the controller may also consider publicly available information from the internet, provided that this is corroborated by other relevant evidence. Therefore, taking all circumstances into account, the court is convinced that the defendant's conduct was abusive. This conclusion is based on the following points: First, the defendant voluntarily provided his data. To this end, he not only used a non-anonymized email address but also provided his full name, thus voluntarily providing even more data than would have been required for newsletter registration. The court was unable to establish any personal interest on the part of the defendant in the newsletter. Even if the defendant wears glasses, the court cannot discern any interest in the plaintiff's newsletter. The defendant resides in Austria; the plaintiff, however, only operates a shipping service from its online shop within Germany. The plaintiff forwards discount information for branches in North Rhine-Westphalia via newsletter. The defendant's claim that he visits friends four times a year, including in Düsseldorf, where the plaintiff operates branches, has not been proven, despite the defendant's secondary burden of proof in this regard. But even if this were true, the court has considerable doubts as to whether a person who wears glasses would buy them in a store so far from their residence. If so, for example, asserting warranty claims would be very time-consuming due to the geographical distance. Furthermore, glasses purchased at a discount in North Rhine-Westphalia would not be significantly cheaper than glasses purchased at the regular price near their residence to offset the travel costs and justify the time investment. Purchasing glasses in Germany offers the defendant no discernible advantage. Therefore, there can be no interest in the plaintiff's company or its newsletter. The defendant failed to demonstrate a personal interest in the newsletter in question, even at the oral hearing. Despite being ordered to appear in person, the defendant was not present. The question of whether the power of attorney granted to his legal representative was valid pursuant to Section 141 Paragraph 3 Sentence 2 of the German Code of Civil Procedure (ZPO) can remain undecided. This is because the legal representative could only provide superficial information regarding his client's interest in the newsletter and was not sufficiently able to clarify the facts, as evidenced by his statement that he believed the defendant wore contact lenses. The time elapsed between the provision of the data and the request for information was nine days. Therefore, the interval is very short. It appears questionable whether and how frequently the plaintiff actually processed the defendant's data during this relatively short period. There are considerable doubts as to that the defendant had a genuine interest in a right to information at such an early stage. Rather, this short period of time constitutes further evidence that the defendant intended to artificially create the conditions for a claim for damages. 8 The circumstances that the defendant's request for information was sent to the plaintiff by fax using his complete letterhead also fit into this picture already formed. In this respect, the defendant once again voluntarily provided more data than would have been necessary for his request. The assertion that faxing offers the advantage of receiving a confirmation of receipt is not convincing in this regard. The fact that the defendant apparently did not file a complaint with the State Office for Data Protection also demonstrates that his intention was to artificially create claims for damages. Had the defendant truly been concerned with clarification and preventing or stopping future data protection violations, this approach would have been more effective than a single claim for damages. This picture is supported by information the plaintiff was able to obtain from the internet. Even at that time, there were reports of mass cease-and-desist letters being sent by the defendant in forums and by lawyers. The plaintiff was entitled to use this source of information to support her stance in defending herself against the request for information, because, as already demonstrated, there was also sufficient evidence indicating abusive conduct by the defendant. The court is not convinced that blog posts or reports from lawyers were purely promotional statements. Rather, it should be considered that in addition to the cases mentioned online, there is likely a much higher number of unreported cases in which the recipient of the cease-and-desist letter did not seek legal assistance or did not publicize the case online. This impression is further reinforced by the fact that the defendant's legal representative could have substantively countered this claim at the oral hearing and specified the number of cases. Simply claiming, when questioned, that no information could be provided and that it involved internal matters, is unconvincing. Furthermore, the defendant's behavior is highly inconsistent. If the defendant is indeed such a data-sensitive person, as he claims, one would expect a much more defensive and cautious approach from him. Instead, he voluntarily subscribes to an increasing number of newsletters, in this case from a company, for which no genuine interest can be discerned, repeatedly and voluntarily disclosing more than the required amount of data. Based on the publicly accessible information about the defendant's behavior, the subscription in this case also occurred at a time when he had already subscribed to many newsletters. He must have been aware at that point of the risk to which he was exposing his data. One would have expected a very data-sensitive person to handle their data differently than the behavior evident here. In light of these numerous indications, the abusive intent cannot be dismissed simply by asserting that the defendant not only sued for damages but also sought the disclosure of his data in court. The defendant's argument that the plaintiff is precluded from raising the defense of abuse of rights due to a formally invalid refusal is also unconvincing. Even assuming any formal errors exist, they would only give rise to secondary claims, but would not negate the existence of the substantive defense under Article 12(5) GDPR. II. The counterclaim is also unfounded with regard to the claim under point 5) for payment of monetary compensation under Article 82(1) GDPR. This is because no such claim exists due to the lack of a violation of the GDPR. The plaintiff was entitled to refuse the defendant's request for information because of the defendant's abusive intent (see above). Although the court has doubts as to whether the defendant has sufficiently substantiated the amount of the damage , a claim for compensation would in any case also fail because the causal link between the breach and the damage is broken, since the defendant's own conduct alone triggered the alleged loss of control and the alleged uncertainty (see CJEU, Judgment of 19 March 2026, Case C-526\u002F24). 10 Furthermore, the court cannot identify any formal defect in the plaintiff's letter of refusal that would give rise to a claim for damages. The deadline of Article 12(4) GDPR was met. The court can neither find, nor has the defendant substantiated, that the plaintiff culpably delayed its response. The defendant's objection that the plaintiff needed little time for the research on the Internet is unconvincing, as only a response immediately after the decision is made is required, not a faster decision at all (see Quaas, BeckOK DatenschutzR, Wolff\u002FBrink\u002Fv.Ungern- Sternberg, 55th edition 2022, GDPR Art. 12 para. 40). The controller must be granted a certain amount of time to review the request (see Heckmann\u002FPaschke, in: Ehmann\u002FSelmayr, Datenschutz-Grundversordnung, 3rd edition 2024, GDPR Art. 12 para. 39). The court also finds no lack of reasoning. The reasons why the plaintiff rejected the request are understandable and explained in sufficient detail. The court cannot identify any formulaic rejection (see Ehmann\u002FSelmayr, General Data Protection Regulation, 3rd ed. 2024, GDPR Art. 12 para. 37). Thus, after receiving the rejection letter, the defendant was able to examine whether or not he wished to lodge an appeal against the rejection (see Bäcker, in: Kühling\u002FBuchner, GDPR BDSG, 4th ed. 2024, GDPR Art. 12 para. 32). Nor can the court identify any error in the instructions on legal remedies, in that the plaintiff only referred to the possibility of filing a complaint with the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia, but not also with an authority in the defendant's home country. Thus, the wording of Article 12(4) GDPR requires that information about the possibility of a legal remedy be provided before one, not all, authorities. This is also reflected in the fact that the wording only requires information about a legal remedy before one authority or a court, not both cumulatively. Furthermore, it cannot be required of the plaintiff, as a private company, to provide information about all bodies responsible for the requesting party regarding complaints for every GDPR request.What the law requires of a private individual here is alien to the system and is otherwise required of authorities or courts (see Heckmann\u002FPaschke, in: Ehmann\u002FSelmayr, General Data Protection Regulation, 3rd ed. 2024, GDPR Art. 12 para. 41). III. 11 Due to the lack of prerequisites, the alternative requests for suspension of the proceedings and referral of the case to the Court of Justice of the European Union for a preliminary ruling, and alternatively pending a decision in the proceedings mentioned in the requests, could not be granted. This is because, firstly, the court finds no evidence whatsoever that the defendant's actions were also motivated by the desire to inform the website operator about the data protection issues associated with the integration of Google Fonts. The defendant has not relied on this argument either in or out of court. The motion is now being made purely as a procedural tactic. Otherwise, the defendant would have had to involve the data protection authority extensively if he were pursuing a proselytizing agenda. Since, following the referral to the European Court of Justice in these proceedings and the subsequent review by the court, it is established that there has been no breach of the duty to provide information, a further stay of proceedings pending other proceedings is not necessary. IV. The procedural ancillary decisions are based on Sections 91(1), 91a, and 709 of the German Code of Civil Procedure (ZPO). The amount in dispute is set at EUR 3,000.00. Since, following the referral to the European Court of Justice in these proceedings and the review now being conducted by the court, it is established that there has been no breach of the duty to provide information, no further stay of proceedings is necessary. pending further proceedings. Legal Remedies Instructions: A) An appeal against this judgment is admissible for anyone who is adversely affected in their rights by this judgment, 1. if the value of the subject matter of the appeal exceeds EUR 1,000.00 or 2. if the appeal has been granted by the Local Court in the judgment. The appeal must be filed with the Regional Court of Arnsberg, Brückenplatz 7, 59821 Arnsberg, within a non-extendable deadline of one month after service of this judgment. The notice of appeal must state the title of the judgment against which the appeal is directed and declare that an appeal is being filed against this judgment. Unless already stated in the notice of appeal, the grounds for the appeal must be submitted to the Regional Court of Arnsberg within two months after service of this judgment. 12 The parties must be represented by a lawyer before the Arnsberg Regional Court. In particular, the notice of appeal and the statement of grounds of appeal must be signed by a lawyer. A copy or certified copy of the judgment being appealed must be submitted with the notice of appeal. B) An appeal against the determination of the value in dispute may be lodged with the Arnsberg Local Court if the value of the subject matter of the appeal exceeds EUR 300.00 or if the Local Court has granted leave to appeal. The appeal must be filed in writing in German or recorded by the clerk of the court at the Arnsberg Local Court, Eichholzstr. 4, 59821 Arnsberg, no later than six months after the decision in the main proceedings has become final or the proceedings have otherwise been concluded. The appeal may also be recorded by the clerk of any Local Court. ... If the amount in dispute is determined less than one month before the expiry of this period, the appeal may still be filed within one month of service or informal notification of the order determining the amount in dispute. Note regarding electronic legal transactions: Filing is also possible by transmitting an electronic document to the court's electronic mailbox. The electronic document must be suitable for processing by the court and bear a qualified electronic signature of the responsible person, or be signed by the responsible person and submitted via a secure transmission channel in accordance with Section 130a of the German Code of Civil Procedure (ZPO) and the more detailed provisions of the Ordinance on the Technical Framework Conditions for Electronic Legal Transactions and on the Special Electronic Mailbox for Public Authorities (Federal Law Gazette 2017 I, p. 3803). Attention is drawn to the obligation for professional filers to submit documents electronically from January 1, 2022, by the Act on the Expansion of Electronic Legal Transactions with the Courts of October 10, 2013, the Act on the Introduction of Electronic Files in the Judiciary and on the Further Promotion of Electronic Legal Transactions of July 5, 2017, and the Act on the Expansion of Electronic Legal Transactions with the Courts and on the Amendment of Other Provisions of October 5, 2021. Further information is available on the website www.justiz.de.13","A German local court ruled that a company can reject a data subject's GDPR access request if it's made with the abusive intent to artificially create a claim for damages. The court cited the data subject's Austrian residency, lack of clear interest in a regional newsletter, and online reports of similar behavior as indicators of abuse. This decision aligns with a preliminary ruling from the CJEU.","German court rules controller can reject GDPR access request if data subject intends to create damages claim.","Help AG Arnsberg - 42 C 434\u002F23: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 07:13, 13 July 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators74 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 07:13, 13 July 2026 AG Arnsberg - 42 C 434\u002F23 Court: AG Arnsberg (Germany) Jurisdiction: Germany Relevant Law: Article 12(5)(b) GDPR Article 15 GDPR Article 82 GDPR Decided: 01.07.2026 Published: 01.07.2026 Parties: Brillen Rottler GmbH & Co. KG National Case Number\u002FName: 42 C 434\u002F23 European Case Law Identifier: Appeal from: Appeal to: Unknown Original Language(s): German Original Source: TRÖBER legal (in German) Initial Contributor: av A court held that a controller may reject a first access request as excessive under Article 12(5)(b) GDPR if the data subject requests access with the abusive intent to artificially create a claim for damages against the controller. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An Austrian citizen residing in Vienna (the data subject) subscribed to the newsletter of a family-run optician company (the controller) mainly operating in the German states of North Rhine-Westphalia and Lower Saxony in March 2023. During the registration process, he provided his email address as well as his first and last name and consented to the processing of his personal data. He then made an access request under Article 15 GDPR by fax, using letterhead that included his full home address, email address, and fax number. The controller refused to provide the requested information in April 2023 as it considered the request to constitute abuse of rights. It cited newspaper reports indicating that the defendant had subscribed to numerous newsletters solely for the purpose of asserting claims for damages. The controller brought proceedings concerning the legality of its rejection of the access request. The data subject demanded access to the information required by in Article 15 GDPR and the payment of monetary compensation of €1,000 in a counter-lawsuit. The court referred the case to the CJEU for a preliminary ruling in July 2024. The CJEU rendered its judgment in the case C-526\u002F24 Brillen Rottler on 19 March 2026. It held that even an initial access request could be rejected on the grounds of an abuse of rights. According to the CJEU, the assessment of abusive conduct is based on all circumstances of the individual case. Both objective circumstances and the subjective intent of the data subject need to be taken into account. An abusive intent always exists if the access request is made in order to artificially create a claim for damages. Holding The court held that the lawsuit had originally been well-founded and ruled that the counterclaims were without merit. According to the court, the controller could reject the data subject’s access request as excessive under Article 12(5)(b) GDPR. The data subject also had no right to damages under Article 82 GDPR due to the absence of a GDPR violation. The court referred to the preliminary ruling in the case C-526\u002F24 and based its decision on an overall assessment of the objective and subjective circumstances of the present case as required by the CJEU decision. It held that the data subject’s conduct had been abusive. To the conviction of the court, there were numerous indications of abusive conduct: first, the data subject had voluntarily disclosed more personal data than was needed to subscribe to the newsletter. Second, the court could not identify any personal interest in a regional newsletter concerning operations in Nordrhein-Westfalen, as the data subject was an Austrian resident. In addition, the court took into account that the data subject had made the access request only nine days after subscribing to the newsletter and had not filed a complaint with the competent DPA before raising a claim for damages. Finally, information on the internet about numerous cease-and-desist letters sent by the data subject pointed to abusive conduct. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the German original. Please refer to the German original for more details. 42 C 434\u002F23 Arnsberg Local Court IN THE NAME OF THE PEOPLE Judgment In the legal dispute between GmbH & Co. KG, represented by its general partner, Verwaltungsgesellschaft mbH, which is represented by its managing directors, and Arnsberg, Plaintiff and Defendant in Counterclaim, Attorneys: Tröber, Am Mittelhafen 10, 48155 Münster, against Mr. , , Austria, Defendant and Counterclaimant, Attorneys: Arnsberg Local Court, in written proceedings with a deadline for filing written submissions until June 1, 2026, by Judge rule as follows: 2 The counterclaim is dismissed. The defendant shall bear the costs of the proceedings and the preliminary ruling procedure (Case No. C-526\u002F24). The defendant shall bear the costs of the proceedings and the preliminary ruling procedure. The judgment is provisionally enforceable upon provision of security in the amount of 110% of the respective amount to be enforced. Facts: The parties are in dispute, in the context of the claim, which has been declared settled by mutual agreement, regarding the legality of the plaintiff's refusal to provide data access under the GDPR, and in the context of the counterclaim, regarding the plaintiff's obligation to provide information under the GDPR and to pay monetary compensation. While the defendant is an Austrian citizen residing in Vienna, the plaintiff is a family-run optician's company that focuses its business on the German states of North Rhine-Westphalia and Lower Saxony. It also offers online retail services that ship within Germany. The plaintiff offers the option to subscribe to a newsletter on its website, which provides information about special offers and discounts at its branches located in North Rhine-Westphalia. When subscribing to the newsletter, the interested party must proactively provide their data, whereby only the email address is required for successful registration. The interested party must consent to the processing of their data, and they are directed to the plaintiff's privacy policy via an anchor link. When subscribing to the newsletter, the interested party must proactively provide their data, whereby only the provision of an email address is required for successful registration. On March 13, 2023, the defendant subscribed to the plaintiff's newsletter, providing his email address @ “ and also his first and last name. On March 29, 2023, the defendant sent a request for information pursuant to Article 15 GDPR by fax, using letterhead containing his full residential address, email address, and fax number. On April 26, 2023, the plaintiff refused to provide the information, arguing that the request was an abuse of rights. The plaintiff cited media reports that the defendant subscribed to numerous newsletters solely for the purpose of pursuing claims for damages. Furthermore, the plaintiff informed the defendant that he could lodge a legal remedy with the supervisory authority of the State of North Rhine-Westphalia and with the court responsible for Arnsberg. By letter dated On June 29, 2023, the defendant's legal representative rejected the accusation of abuse of rights and demanded compensation in the amount of €1,000.00 due to a restriction of the defendant's rights, his loss of control, and his experience of emotional distress, as well as compensation for material damages resulting from the extrajudicial activities of his legal representative, based on a value in dispute of €6,000.00. The plaintiff maintains that the rejection of the defendant's request was permissible due to his abus","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AG_Arnsberg_-_42_C_434\u002F23&diff=52189&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-07-13T07:13:52+00:00","2026-07-13T08:00:11.780772+00:00",7,[18,21],{"name":19,"type":20},"GDPR","product",{"name":22,"type":23},"Brillen Rottler GmbH & Co. KG","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":26,"name":27,"slug":28},null,"Policy","policy",[30,34,39],{"category":31},{"id":32,"icon":26,"name":19,"slug":33},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","gdpr",{"category":35},{"id":36,"icon":26,"name":37,"slug":38},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":40},{"id":24,"icon":26,"name":27,"slug":28},[]]