A request for access to one’s own personal data may be considered abusive and refused if it is made for the sole purpose of subsequently claiming compensation for an alleged infringement of the GDPR

25 March 2026

The EU Court of Justice ruled that even a first request for access to personal data may be deemed abusive under the GDPR if it is made solely to generate compensation claims, allowing controllers to refuse such requests.

An individual residing in Austria subscribed to the newsletter of the family run optician company Brillen Rottler, established in Arnsberg, Germany, by entering his personal data in the registration form available on the company’s website.

Thirteen days later, he sent a request for access to Brillen Rottler under Article 15 of the General Data Protection Regulation (GDPR). According to that regulation, a data subject is to have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, the right of access to those data and the information relating thereto.

Brillen Rottler refused the request, considering it to be abusive. According to Brillen Rottler, various reports, blog articles and lawyers’ newsletters show that that individual systematically subscribes to newsletters of various companies before submitting a request for access and then a claim for compensation. The individual, by contrast, maintained that his request for access was legitimate and claimed compensation of at least €1,000 from Brillen Rottler for the non-material damage that he claims to have suffered as a result of the refusal of that request for access.

The Local Court, Arnsberg, hearing the dispute between Brillen Rottler and that individual concerning the legitimacy of the request for access and the claim for compensation, asked the Court of Justice whether a first request for access to personal data made by the data subject may be regarded as ‘excessive’ and whether that data subject is entitled to compensation for the damage resulting from an infringement of the right of access to those data.

The Court replies that a first request for access may, in certain circumstances, already be regarded as ‘excessive’ within the meaning of the GDPR and may therefore be abusive.

That is the case where the controller demonstrates that, despite formal observance of the conditions laid down by the GDPR for making a request for access, that request was made not for the purpose of being aware of the processing of the data and verifying the lawfulness of that processing, 4 but with the intention, which may be characterised as ‘abusive’, of artificially creating the conditions laid down for obtaining compensation under the GDPR.

Read more here