On 19 March 2026, the Court of Justice of the European Union delivered a landmark judgment reshaping the boundaries of the GDPR right of access. In a decision of practical importance, the Court clarifies when access requests may be abusive, when compensation arises and what qualifies as non-material damage.
Background: a request for access refused by an optician
The case involved Brillen Rottler GmbH & Co. KG, a family-run optician's firm, and TC, an individual, concerning the firm's refusal to comply with TC's request for access to his personal data under Article 15 of the GDPR. The question put to the Court was threefold: can an initial request for access be classified as "excessive"? Does a breach of the right of access give rise to a right to compensation? What constitutes "non-material damage" within the meaning of the GDPR? Against this backdrop, the Court addressed three distinct questions, each of which carries significant practical consequences.
An initial request for access may be "excessive" in the event of an abuse of rights
This is the most significant finding of the judgment.
Until now, the excessive nature of a request within the meaning of Article 12(5) of the GDPR — which allows the controller to refuse to comply with requests that are "manifestly unfounded or excessive, in particular because of their repetitive nature" — was generally associated with a multiplicity of requests. The Court goes a step further.
An initial request for access to personal data may be considered "excessive" where the controller demonstrates, in the light of all the relevant circumstances of the case, that, despite formal compliance with the conditions laid down in those provisions, that request was made not to ascertain the processing of such data and verify its lawfulness, but with an abusive intent, such as the artificial creation of the conditions required to obtain an advantage resulting from that same Regulation.
The fact that, according to publicly available information, the data subject has submitted several requests for access to their personal data, followed by claims for compensation, to various data controllers, may be taken into account in order to establish the existence of such abusive intent.
In practice, this means that where an access request is deployed as a tactical device rather than exercised in good faith, data controllers may now legitimately resist it, provided they can establish the requisite evidence. This significantly strengthens the position of data controllers faced with strategic or opportunistic requests.
A breach of the right of access gives rise to a right to compensation
It follows from the wording of Article 82(1) of the GDPR that a person who has suffered material or non-material damage "as a result of an infringement of [this] Regulation" is entitled to receive compensation from the controller for the damage suffered. That provision contains no reference to "processing", so that the right to compensation cannot be confined to damage resulting from the processing of personal data.
Even in the event of a breach of the GDPR which does not, as such, involve any processing of data, the data subject may rely on the right to compensation provided for in Article 82 of that Regulation.
Article 82(1) of the GDPR must be interpreted as conferring on the data subject a right to compensation for damage resulting from a breach of the right of access provided for in Article 15(1) of that Regulation.
The practical consequence is clear: failing to respond to or unduly rejecting a request for access exposes the data controller to a claim for damages, irrespective of any unlawful processing operation.
Non-material damage: real, proven, and not caused by abuse
The Court provides important clarifications on the conditions for compensation for non-material damage.
The existence of "damage" that has been "suffered" constitutes one of the conditions for the right to compensation, as does the existence of a breach of the GDPR and a causal link between that damage and that breach, these three conditions being cumulative.
A person seeking compensation for non-material damage on the basis of that provision is required to establish not only the infringement of provisions of the GDPR, but also that that infringement has caused them such damage or harm. Such damage cannot therefore be merely presumed on the basis of the occurrence of the said infringement.
A mere allegation by the data subject of a fear arising from a loss of control over their personal data cannot, in itself, give rise to an entitlement to compensation.
However, the non-material damage suffered by the data subject encompasses the loss of control over their personal data or their uncertainty as to whether their data has been processed, provided that it is demonstrated, in particular, that the data subject has actually suffered such damage and that their own conduct was not the decisive cause thereof.
The data subject shall not be awarded compensation where the loss of control or uncertainty was caused by their own decision to submit data to the controller with a view to artificially creating the conditions required for the application of that provision.
Taken together, these findings confirm that compensation is neither automatic nor presumed. The claimant must demonstrate actual harm, distinct from the mere infringement, and must not themselves have been the cause of it. In short: no damage, no damages.
Practical implications for organisations
This judgment has immediate consequences for the way in which organisations, acting as data controllers, manage incoming access requests. It calls on data controllers to:
- document and analyse each access request in its context, including considering the applicant's past conduct;
- keep clear records to evidence, where necessary, the abusive nature of a request (notably by reference to publicly available sources);
- resist, where appropriate, requests made with a view to litigation or the pursuit of compensation claims;
- establish robust internal processes to handle legitimate requests.
This decision is a timely reminder that the right of access, whilst fundamental, is not without limits. For organisations, it paves the way for a stronger defence, provided it is properly substantiated and documented.
Our Data Protection team remains available to assist you in reviewing your practices and navigating these developments.
Share on
