[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIbH4WtscTn7Nz3JwHUGQj42A6PPGTvF88X9dSJ0Uiog":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"253c507e-6297-4b84-b1dd-4314730a87dc","CJEU - C-526\u002F24 - Brillen Rottler","cjeu-c-526-24-brillen-rottler-9121a5","← Older revision Revision as of 09:14, 13 July 2026 Line 107: Line 107: == Comment == == Comment == ''Share your comments here!'' The case [[AG Arnsberg - 42 C 434\u002F23]] was decided by the referring court on 1 July 2026. == Further Resources == == Further Resources == ''Share blogs or news articles here!'' ''Share blogs or news articles here!''","The Court of Justice of the European Union (CJEU) has ruled that even a first-time data access request under GDPR can be considered excessive if the data subject has abusive intent. This applies particularly when the individual appears to be artificially creating a claim for compensation against the data controller. The case involved a data subject who requested information from an optician company shortly after subscribing to their newsletter, with the company subsequently refusing the request due to suspected abuse of rights.","CJEU rules first GDPR access request can be excessive if data subject acts with abusive intent.","Help CJEU - C-526\u002F24 - Brillen Rottler: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 13:48, 25 March 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators393 editsmTag: Visual edit← Older edit Latest revision as of 09:14, 13 July 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators76 editsmTag: Visual edit Line 107: Line 107: == Comment ==== Comment == ''Share your comments here!''The case [[AG Arnsberg - 42 C 434\u002F23]] was decided by the referring court on 1 July 2026. == Further Resources ==== Further Resources == ''Share blogs or news articles here!''''Share blogs or news articles here!'' Latest revision as of 09:14, 13 July 2026 CJEU - C-526\u002F24 Brillen Rottler Court: CJEU Jurisdiction: European Union Relevant Law: Article 12(5) GDPR Article 82(1) GDPR Decided: Parties: Brillen Rottler GmbH & Co. KG Case Number\u002FName: C-526\u002F24 Brillen Rottler European Case Law Identifier: ECLI:EU:C:2026:216 Reference from: AG Arnsberg (Germany)42 C 434\u002F23 Language: 24 EU Languages Original Source: AG OpinionJudgement Initial Contributor: tjk The CJEU held that even a first access request could be considered excessive in case the data subject acted with abusive intent, specifically if the data subject tries to artificially create a claim for compensation against a controller. Contents 1 English Summary 1.1 Facts 1.2 Advocate General Opinion 1.2.1 In addressing the first, second, third, and seventh questions referred by the national court: 1.2.2 In addressing the the fourth, fifth and sixth questions referred by the national court : 1.2.3 Conclusion 1.3 Holding 1.3.1 Is a first access request excessive in accordance with Article 12(5) GDPR, and under what circumstances is it possible to establish such an excessive nature? (Questions 1, 2, 3 and 7) 1.3.2 Does Article 82(1) confer the right to compensation for damages resulting from an infringement of the right to access? (questions 5 and 6) 1.3.3 Does non-material damage for data subjects include loss of control or uncertainty over how their data is processed? (question 8) 2 Comment 3 Further Resources English Summary Facts On 16 March 2023, the data subject (a private individual living in Vienna) subscribed to the ‘newsletter’ on the website of the controller (a family run optician company established in North Rhine-Westphalia) by entering his personal data in the registration form, confirming his consent to data processing by ticking a box and submitting the form. On 29 March 2023, the data subject sent by fax an information request pursuant to Article 15 GDPR. The controller acknowledged receipt of the request and stated that it would respond to it within the one-month period. However, by letter of 26 April 2023, the controller refused to provide the information since it classified the information request as an abuse of right for the purposes of the second sentence of Article 12(5)(b) GDPR. The controller sought a declaration from the referring court that the data subject is not entitled to compensation in the amount of €1000. The court decided to refer the following questions set out in point I. to the CJEU for a preliminary ruling pursuant to Article 267 TFEU: Is the second sentence of Article 12(5) GDPR to be interpreted as meaning there cannot be an excessive information request from the data subject when the first request is made to the controller? Is the second sentence of Article 12(5) GDPR to be interpreted as meaning that the controller can refuse an information request from the data subject if the data subject intends to use the information request to provoke claims for damages against the controller? Is the second sentence of Article 12(5) GDPR to be interpreted as meaning that grounds for refusing to provide information can be provided by publicly available information about the data subject which suggests that the data subject is asserting claims for damages against the controller in a large number of cases of infringement of the law relating to the protection of personal data? Is Article 4(2) GDPR to be interpreted as meaning that an information request from a data subject to the controller pursuant to Article 15(1) GDPR and\u002For a response to that request constitutes processing within the meaning of Article 4(2) GDPR? In view of the first sentence of recital 146 GDPR, is Article 82(1) GDPR to be interpreted as meaning that only damage which the data subject suffers or has suffered as a result of processing is eligible for compensation? Does this mean that for there to be a claim for damages under Article 82(1) GDPR – assuming causal damage to the data subject exists – there must necessarily have been processing of the data subject’s personal data? If the answer to Question 5 is in the affirmative: Does this mean that the data subject – assuming causal damage exists – has no claim for compensation under Article 82(1) GDPR solely on the basis of an infringement of his or her right to information under Article 15(1) GDPR? Is Article 82(1) GDPR to be interpreted as meaning that the controller’s objection relating to an abuse of right in relation to an information request from the data subject cannot, in view of EU law, consist in the fact that the data subject brought about processing of his or her personal data solely or inter alia in order to assert claims for damages? If the answers to Questions 5 and 6 are in the negative: Does the mere loss of control and\u002For uncertainty about the processing of the data subject’s personal data associated with an infringement of Article 15(1) GDPR constitute non-material damage to the data subject within the meaning of Article 82(1) GDPR or does it also require a further (objective or subjective) restriction and\u002For (significant) damage to the data subject? Advocate General Opinion In addressing the first, second, third, and seventh questions referred by the national court: The excessive character of an initial access request Advocate General emphasized that while an initial access request can, in theory, be considered \"excessive,\" this must be limited to exceptional circumstances since the right of access is fundamental and linked to other GDPR rights. The circumstances that allow a request to be characterized as ‘excessive’ The Advocate General analyzed when a data access request under Article 15 GDPR could be considered excessive under Article 12(5) GDPR . He concluded that such a request may only be treated as excessive if the controller can demonstrate an abusive intention. However, merely having a pattern of making similar claims in many cases does not, on its own, prove abuse, and strict criteria must be applied to ensure that the fundamental right of access is not unduly restricted. In addressing the the fourth, fifth and sixth questions referred by the national court : The event giving rise to the damage within the meaning of Article 82 of the GDPR The Advocate General analyzed whether only data processing that violates the GDPR can give rise to compensation under Article 82 GDPR. He concluded that not just unlawful processing, but any infringement of the GDPR can be a basis for compensation, provided that damage and a causal link are proven. The concept of ‘processing’ for the purposes of the right to compensation The Advocate General explains that although sending an access request is not \"processing\" under the GDPR, a controller’s act of responding to such personal data , which can fall under the scope of the GDPR. However, the actual damage arises not from this technical processing, but from the unjustified refusal to fulfill the access request. To ensure the effectiveness of Article 15 GDPR and the right to compensation under Article 82, the concept of “processing that caused the damage” should be interpreted broadly. The existence of non-material damage The Advocate General ","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CJEU_-_C-526\u002F24_-_Brillen_Rottler&diff=52191&oldid=51128","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F8\u002F87\u002FCjeulogo.png","2026-07-13T09:14:19+00:00","2026-07-13T10:00:14.745836+00:00",7,[18,21],{"name":19,"type":20},"newsletter","product",{"name":22,"type":23},"Brillen Rottler GmbH & Co. KG","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":26,"name":27,"slug":28},null,"Policy","policy",[30,35,40],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":36},{"id":37,"icon":26,"name":38,"slug":39},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":41},{"id":24,"icon":26,"name":27,"slug":28},[]]