European Union Court of Justice: In a case concerning interpretation of Articles 12(5), 15(1) and 82(1), General Data Protection Regulation (GDPR) on protection of natural persons with regard to processing of personal data and on the free movement of such data, the Bench comprising of I. Jarukaitis (Chamber President), K. Lenaerts (Court President), M. Condinanzi, N. Jääskinen and R. Frendo (Rapporteur), JJ. and M. Szpunar, Advocate General, stated that Article 12(5) GDPR must be interpreted to mean that even a first request for access to personal data can be considered “excessive” if the Controller shows, based on all the circumstances, that the request was made with an abusive intention.
Further, the Court held that Article 82(1) GDPR must be interpreted as meaning that non-material damage suffered by a data subject includes loss of control over their personal data or uncertainty about whether their data has been processed. However, this applies only if it is shown that the person actually suffered such damage and that their own conduct was not the determining cause of it.
Background
In March 2023, TC, an individual living in Austria, signed up for the newsletter of Brillen Rottler, a family-owned optician business based in Arnsberg, Germany. To do so, TC entered his personal details on the Company’s website and agreed to their data processing. Thirteen days later, TC submitted an Article 15 GDPR access request. Within the one-month period allowed by the GDPR, Brillen Rottler rejected TC’s access request.
The Company argued that the request was abusive under Article 12(5), second sentence of the GDPR. It also asked TC to withdraw his request permanently. After TC insisted on his access request and demanded EUR 1000 in compensation under Article 82 GDPR, Brillen Rottler went to the Local Court in Arnsberg. The Company asked the Court to declare that TC was not entitled to any compensation.
TC submitted before the referring court that his request for access to Brillen Rottler was legitimate, as it reflected his right of access under Article 15 GDPR. He claimed the Company was unlawfully restricting his rights, and Brillen Rottler should be ordered to pay him at least EUR 1000 in compensation for non-material damage caused by the refusal to give him access to his personal data.
The referring court was unsure whether a first access request can be considered “excessive” under Article 12(5) GDPR and therefore an abuse of rights. It also questions what circumstances could make a request excessive and whether a Controller can rely on public information showing that the person has made many access requests and compensation claims to other Controllers.
Further, the referring court also asked whether an access request under Article 15(1) GDPR, or the Controller’s response to such a request, counts as “processing” within the meaning of Article 4(2) GDPR. The referring court also harboured doubt about the criteria for identifying damage that can be compensated under Article 82(1) GDPR, and whether, even without data processing, Article 82(1) gives a right to compensation simply because the right of access under Article 15(1) has been infringed.
Analysis, Law, and Decision
1. Whether Article 12(5) GDPR mean that a person’s first request to access their personal data under Article 15 can ever be considered “excessive”? If yes, what circumstances would make such a request excessive?
The Court stated that Article 15(1) GDPR guarantees the data subject, the right to obtain confirmation from the Controller as to whether their personal data is being processed and, if so, the right to access that data and related information. Further, Article 12(5) GDPR establishes the principle that exercising this right of access should not involve any cost for the data subject. However, the Court explained that Article 12(5) allows the Controller to charge a reasonable fee or refuse to act where requests amount to an abuse of rights, in which the data subject’s requests must be regarded as “manifestly unfounded” or “excessive”, in particular because of their repetitive character.
The Court noted that the GDPR does not define “excessive”. Therefore, the term must be interpreted by considering the wording of Article 12(5), its everyday meaning, and the broader objectives of the GDPR. In ordinary language, “excessive” refers to something that goes beyond what is reasonable, ordinary, or permissible. Importantly, the Court clarified that the term covers both qualitative and quantitative aspects, so even a first request could, in principle, be excessive.
While repetitive requests are a clear example of excessiveness, the Court emphasised that repetition is not the only factor. An access request may be excessive even without repetition if it is made with abusive intent. This interpretation aligns with the broader context of Article 12 GDPR, which requires Controllers to facilitate data subject rights and ensure transparency. Article 12(5) GDPR is therefore an exception to this general obligation and must be interpreted narrowly. The Court further highlighted that EU law cannot be used for abusive or fraudulent purposes.
The Court stated that the number of access requests made by a data subject does not, by itself, determine whether the Controller can rely on Article 12(5) GDPR to refuse a request. The Court explained that a Controller may use this option even for a first request, if it can show, based on all the relevant circumstances, that the data subject acted with abusive intent.
The Court stated that Article 12(5) GDPR must be interpreted to mean that even a first request for access to personal data under Article 15 can be considered “excessive” if the Controller shows, based on all the circumstances, that the request was made with an abusive intention. This would be the case where the request is not aimed at checking whether data is being processed lawfully, but instead at artificially creating conditions to gain an advantage under the Regulation. The Court added that evidence such as a data subject making many access requests to different Controllers, followed by claims for compensation, may be considered to establish such abusive intent.
2. Whether Article 82(1) GDPR must be interpreted as giving the data subject a right to compensation for damage caused by a breach of the right of access under Article 15(1)
The Court stated that Article 82(1) GDPR makes clear that anyone who suffers material or non-material damage because of a breach of the Regulation has the right to compensation from the Controller. This right is not limited to damage caused by the processing of personal data, since the provision does not mention “processing”. The purpose of Article 82(1) is to strengthen the rights of data subjects and the obligations of Controllers, as highlighted in Recital 11 of the GDPR.
The Court stated that as the Advocate General noted, these rights, including the right of access, would be weakened if compensation were only available for unlawful processing. Therefore, even if a GDPR infringement does not involve data processing, the data subject may still claim compensation. Thus, the Court held that Article 82(1) GDPR must be interpreted as conferring on the data subject a right to compensation for damage resulting from a breach of the right of access under Article 15(1).
3. Whether Article 82(1) GDPR must be interpreted as meaning that non-material damage suffered by a data subject includes loss of control over their personal data or uncertainty about whether those data have been processed.
The Court stated that not every infringement of the GDPR automatically gives a data subject the right to compensation. Article 82(1) requires three cumulative conditions: there must be an infringement of the GDPR, actual damage suffered, and a causal link between the infringement and the damage. Therefore, a person claiming compensation for non-material damage must prove both the infringement and that it caused them harm. Such damage cannot be presumed just because an infringement occurred.
The Court explained that merely alleging fear of losing control over personal data is not enough to justify compensation. If a person claims compensation based on fear that their data may be misused in the future, the national court must assess whether that fear is well founded in the specific circumstances of the case.
Thus, the Court held that Article 82(1) GDPR must be interpreted as meaning that non-material damage suffered by a data subject includes loss of control over their personal data or uncertainty about whether their data has been processed. However, this applies only if it is shown that the person actually suffered such damage and that their own conduct was not the determining cause of it.
[Brillen Rottler GmbH & Co. KG v. TC, 2026 SCC OnLine ECJ 1, decided on 19-3-2026]
Advocates who appeared in this case:
For Brillen Rottler GmbH & Co. KG: J. Trober, Rechtsanwalt;
For TC: P. Brandt, Rechtsanwalt,
For the European Commission: A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents
