Can a data controller reject a data subject’s first data access request on the basis that it is “excessive”? Until recently, many organisations were cautious and adopted an agnostic view about the intentions behind first access requests. However, the EU Court of Justice (“CJEU”) has clarified in a recent decision that although excessive requests are exceptional, a first request can be excessive where it is made with an abusive intention.
Under Article 15 of the GDPR, individuals have the right to be provided with copies of their personal data and information about conditions under which the data is processed. Disputes arising from the exercise of right are not unusual. For example, Ireland’s Data Protection Commission consistently reports that access requests generate the majority of complaints and queries that it receives.
The case background
No right under the GDPR is absolute and Article 12(5)(b) of the GDPR allows a controller to refuse to act on a request where that request is “manifestly unfounded” or “excessive”. However, those terms are not defined in the GDPR and this has led some controllers to be uncertain whether initial or infrequent requests that are brought for other motives can be properly characterised as excessive.
In a welcome decision for controllers, the CJEU ruled in March 2026 in Brillen Rottler (Case C-526/24) that a first request can be “excessive” where a controller can demonstrate that the request was made with an abusive intention. The court’s decision also set down the conditions for damages that may arise under Article 82 where a request is refused or responded to with insufficient information.
The referral to the CJEU concerned a refusal by an optician company in Germany to respond to an access request made by an individual who had subscribed to the optician’s newsletter via a registration form on the optician’s website. Within a fortnight of subscribing, the individual made an access request which the optician company refused because it considered it to be an abusive one. The individual maintained his request and added a compensation claim for €1,000. The company supported its claim that the request was abusive by relying on publicly available reports that the individual concerned had a practice of subscribing to newsletters of various companies before making an access request to those companies and thereafter a compensation claim. The referring court in Germany that heard the claim asked the CJEU whether the first request made to a controller can be an excessive request from a data subject and whether a controller can refuse a request where a data subject intends to use the request to pave the way for a claim for damages against the controller.
Circumstances where an access request is excessive
The court’s ruling has resulted in a number of significant findings that should allow controllers to more confidently maintain that a request is excessive where it is made for abusive purposes. The CJEU has ruled that an individual’s intention rather than simply the number of requests is important to determining whether a request is excessive. On this point, the CJEU ruled that the question whether a request is excessive should be assessed qualitatively and quantitively but an individual’s intent is the more decisive factor.
Although the CJEU has clarified that intention may be decisive, the court also stated that a request will be considered excessive only in exceptional circumstances. While data protection authorities have applied a similarly high threshold to reliance on Article 12(5), prior to the CJEU’s decision, it was still unclear to many controllers whether they could take account of motive in determining whether to respond to a request. For example, in Ireland, the Irish DPC has said that there are very few prerequisites regarding access requests and the limitation on the right to access under Article 12(5) is a very high threshold to meet. The DPC’s guidance has also tended to focus on the size and volume of requests in assessing excessiveness. The Brillen Rottler decision is more expressly in line with ICO guidance in the UK which has considered intent and states that a request may be manifestly unfounded if the request is malicious in intent or used to harass an organisation, with no real purpose other than to cause disruption.
As a result of the Brillen Rottler decision, the interplay between abusive intent and the limitation on the right of access is now much clearer. The CJEU decision provides some assistance to controllers in determining whether intent is abusive. Such intent may be found where the requesting individual makes a request for a purpose unrelated to their right to know about the processing of their personal data and to verify the lawfulness of that processing. Circumstances that controllers may take account of include the fact that the data subject provided personal data without being obliged to do so, the aim of providing the data, the time that elapsed between the provision of the data and the request for access, and the conduct of the data subject.
Clarification on compensation claims
The referring court also raised a number of queries about the right to compensation. The CJEU confirmed that an individual may seek compensation under Article 82 of the GDPR even if there is no data processing. The CJEU was asked to consider whether infringement of the right to access on its own constitutes the right to a compensation claim for non-material damage or whether that right to compensation required further damage to the requestor. The CJEU determined that infringement alone does not confer a right to compensation; there must be some causal link between the infringement and damage an individual suffers. The court ruled that the link can be broken where the conduct of the individual bringing a compensation claim contributed to the conditions for the claim and proves to be the determining cause of the damage. Such conduct can be providing personal data to a controller to artificially create the conditions for a compensation claim.
What practical implications should controllers consider
The decision in Brillen Rottler may impact a growing trend in employment disputes across Europe where access requests are often part of a claimant’s strategy to prepare for an employment related claim. Leaving to one side, the impact of the CJEU’s ruling for particular classes of claimants and defendants, reviewing a more general application of the decision shows that it is an important clarification on the circumstances where an access request may be refused. It is also suggestive of a pragmatic approach by the CJEU in recognising that an access request may be considered excessive where it is made solely with a view to seeking compensation for non-material damage. The decision is also in line with GDPR amendments proposed in the European Commission’s draft Digital Omnibus Regulation which include a right for controllers to refuse to respond to an access request where that right is being abused by an individual for a purpose other than protecting their personal data.
Controllers now have clarity that a requestor’s intention is relevant and that the court’s finding may encourage some controllers to routinely refuse to comply with an access request. However, any change in practice should be the subject of a proper review because the standard for refusal remains high. Disproportionate refusals of access requests will likely leave controllers exposed to compensation claims. To deal effectively with changes to the management of access requests, controllers should:
- Continue to treat refusals of access requests as exceptional rather than routine and avoid broad reliance on public information about a requestor as the sole ground for refusal.
- Engage in staff training to perform contextual assessments to properly manage refusal decisions.
- Update assessment processes to identify access requests that may be indicative of abusive intentions rather than for the protection of personal data.
- Document the evidence and decision-making procedures they rely on before refusing a request.
