Have you ever tried to find out who is processing your data and exercised your right under Article 15 GDPR? It is a useful transparency tool for data subjects – who are in many circumstances consumers as well, for instance when subscribing to an online newsletter or creating an account with an e-commerce platform. Based on this right, you can obtain from a data controller (often a company in a B2C relationship) confirmation of whether your personal data are being processed, and if so – for whatpurposes, which categories of data, who has received access to them, etc. You can also request a copy of your data.
Some individuals, however, exercise this right not to verify the lawfulness of data processing, but to “provoke” a situation in which a refusal – or any procedural shortcoming – will trigger a compensation claim under Article 82 GDPR. This is precisely what the case C-526/24 Brillen Rottler GmbH & Co. KG v TC is about.
The facts are relatively simple: an individual subscribed to the newsletter of Brillen Rottler, a family-run optician company based in Arnsberg, Germany, by voluntarily entering his personal data on the company's website. Thirteen days later, he submitted a request for access to his personal data under Article 15 GDPR (paras. 12–14). Brillen Rottler refused to comply, arguing that the request was abusive, because press reports, blog posts and lawyers' newsletters showed that the individual systematically subscribed to newsletters from various companies, then submitted access requests and subsequently filed claims for compensation (para. 15). The data subject denied any abusive intent and claimed compensation of at least EUR 1,000 for non-material damage resulting from the refusal itself (para. 16).
 |
| Designed by Freepik |
The Local Court of Arnsberg, before which the dispute was brought, referred several questions to the Court of Justice for a preliminary ruling (para. 20). In essence, it asked: first, can a first access request already be considered "excessive" within the meaning of Article 12(5) GDPR, and if so, under what conditions? Second, does the right to compensation under Article 82 GDPR extend to damage caused not by unlawful processing of data, but by a wrongful refusal to act on an access request? And third, can the causal link required under Article 82 be broken by the data subject's own conduct?
What did the CoJ find?
On the "excessive" first request (questions: 1-3, 7)
The Court confirmed that even a first access request – not just a series of repeated ones – may, in certain circumstances be regarded as "excessive" within the meaning of Article 12(5) GDPR, and thus refused. However, it stressed that this exception must be interpreted strictly. The concept of "excessive requests" is inherently exceptional, and there must be strict criteria for characterising a first request as such. Crucially, the burden of proving that excessiveness lies explicitly with the controller (para. 35). It is not enough to point to a pattern of behaviour visible in public sources – for instance, that the individual has submitted similar requests and claims to multiple controllers. Such information may be taken into account, but only if it is supported by other relevant material (para. 43). What is required is a combination of two elements: objective circumstances showing that "despite formal observance of the conditions laid down by the EU rules, the purpose of those rules has not been achieved"; and a subjective element "consisting in the intention of the data subject to obtain an advantage from the EU rules by artificially creating the conditions laid down for obtaining it" (para. 36).
In practical terms, the controller must demonstrate unequivocally that the access request was not made to become aware of, or verify the lawfulness of, the data processing, but solely to create a ground for compensation (para. 41). In making that assessment, the court should look at all circumstances of the case: did the data subject provide their data voluntarily and without any obligation? What was the purpose of doing so? How much time elapsed between the data submission and the access request? And how did the data subject behave throughout (para. 42)?
On the scope of compensation under Article 82 GDPR (questions 5-6)
The second issue concerned a broader question: does Article 82(1) GDPR – which grants compensation for "damage resulting from an infringement" of the GDPR – cover situations where the damage stems not from the processing of personal data as such, but from a controller's wrongful refusal to respond to an access request?
The Court answered in the affirmative. It reasoned that many of the rights enshrined in Chapter III of the GDPR – including the right of access, rectification, erasure, restriction, and portability – by their very nature produce infringements through refusals to act, rather than through any particular act of processing (para. 51). If compensation under Article 82 were limited exclusively to damage caused by unlawful processing, the rights of data subjects laid down in Chapter III would be significantly weakened and the effectiveness of the provision undermined (para. 53). In other words, the Court opted for a broad interpretation of Article 82(1), consistent with its literal wording, which covers damage resulting from any "infringement of this Regulation" not merely from unlawful data processing as such.
On causation – and the data subject's own conduct (question 8)
The third and most practically significant finding concerns the causal link. Even where a GDPR infringement is established and damage is claimed, compensation is only available if the data subject demonstrates actual harm and a causal link between that harm and the infringement. That link is a condicio sine qua non of any claim under Article 82(1) (para. 66).
Critically, the Court held that the causal link may be broken by the data subject's own conduct – provided that conduct proves to be the determining cause of the damage (para. 65). Where a person has voluntarily provided their data to a controller with the specific aim of artificially creating the conditions for a compensation claim, the resulting loss of control over data or uncertainty as to their processing cannot be attributed to the controller. The data subject cannot then claim compensation for harm that was, in substance, the result of their own deliberate decision (para. 66).
Final remarks
The Brillen Rottler case is not a revolution. The Court builds on what it has already established in Österreichische Datenschutzbehörde (C-416/23), FT (C-307/22), and Österreichische Post (C-300/21), but takes it one step further. What is new is the clarity – a first access request can be abusive, the causal link in compensation claims can be broken by the data subject's own conduct, and Article 82(1) GDPR covers more than just unlawful processing. The CoJ tries to be fair to both sides – the data subjects and data controllers.
It also comes at an interesting moment. In November 2025, the Commission published the Digital Omnibus proposal (COM(2025) 837 final), which among other things touches on the GDPR's right of access. Recital 35 of that proposal states that "the right of access, which is from the outset favourable to data subjects, should not be abused in the sense that the data subjects abuse them for purposes other than the protection of their data", and gives as an example a situation where "the data subject intends to cause the controller to refuse an access request, in order to subsequently demand the payment of compensation, potentially under the threat of bringing a claim for damages". The reformulated Article 14(5) of the GDPR (see Art. 4(4) of the proposal) would allow controllers to refuse requests that are "manifestly unfounded or excessive, in particular because of their repetitive character" - while keeping the burden of proof on the controller. The Court's reasoning and the Commission's proposal clearly point in the same direction. Whether the final legislation will look anything like the current draft is, of course, another question.
