CJEU 19 March 2026 (Brillen Rottler): first access request may be refused for abuse

CJEU Brillen Rottler judgment (C‑526/24, 19 March 2026): the Court allows a first access request under Article 15 GDPR to be deemed “excessive” and refused if the controller proves an abusive intent within the meaning of Article 12(5). Any refusal must be duly reasoned and notified within the statutory time limits.

The case

On 19 March 2026, the Court of Justice of the European Union delivered Brillen Rottler (C‑526/24), following a reference from the Amtsgericht Arnsberg (Germany). The Court held that a first access request (Article 15 GDPR) can be considered excessive if driven by a proven abusive intent under Article 12(5) GDPR. The ruling also clarifies the interplay with Article 82 (damages), especially where access is invoked to later seek compensation for an alleged infringement. See the official press release (19.03.2026) and InfoCuria file: Press release No 38/26 and InfoCuria (ECLI:EU:C:2026:216).

Legal reasoning

• Legal basis. Article 12(5) GDPR provides that where a data subject’s requests are “manifestly unfounded or excessive, in particular because of their repetitive character,” the controller may charge a reasonable fee or refuse to act. Official text: EUR‑Lex (Regulation 2016/679). For a practical overview, see our page on GDPR (Articles 12 and 15).
• Key takeaway. The CJEU expressly confirms the possibility to refuse a first request if abusive, grounded in the general EU law principle prohibiting abuse of rights. The Article 12(5) exception must be narrowly interpreted: the controller bears the burden of proof; any refusal must be reasoned and notified within the Article 12(3) deadline (one month, extendable by two months). Source: CJEU Press release No 38/26.
• Interplay with Article 15. The right of access remains broad: confirmation of processing and access to the data and the information listed in Article 15(1), plus a copy (Art. 15(3)), subject to the rights and freedoms of others (Art. 15(4)). Refusal is only possible where the request is “manifestly” abusive/excessive in a strict sense. Source: EUR‑Lex, Art. 15 GDPR.
• Alignment with the EDPB. Guidelines 01/2022 confirm that “manifestly unfounded or excessive” cases must be assessed narrowly; repetitiveness is merely an example. The ruling clarifies that excess may stem from an intent that instrumentalises the right (abuse), even for a first request. Sources: EDPB Guidelines 01/2022 and EDPB news.
• CNPD reference. The CNPD explains the scope of access rights and response duties; the ruling frames controllers’ ability to refuse for abuse without undermining the right itself. Source: CNPD – Right of access.

What changes in practice

For organisations in Luxembourg (companies, public bodies, PSFs, healthcare, NIS2 operators), this ruling offers a tool to handle requests diverted from their legitimate purpose. For a Luxembourg‑focused approach, see GDPR Luxembourg compliance.

• Refusal possible even for a first request if abuse is proven (e.g., a request made solely to generate a damages claim – Art. 82(1) GDPR – with no genuine intent to exercise access rights, or coupled with systematic threats unrelated to data protection). This is an exception that must be documented. Source: CJEU, Brillen Rottler (C‑526/24).
• DSAR process: embed an “abuse/excess test” using objective criteria (apparent purpose, unreasonable breadth, no link to actual processing, proven instrumentalisation). EDPB criteria remain the compass. Source: EDPB Guidelines 01/2022. Dedicated oversight helps; a certified DPO mandate can strengthen traceability and reasoned decisions.
• Deadlines unchanged: respond within one month (Art. 12(3)), extendable by two months when necessary, informing the data subject; if refusing, state the reasons, the CNPD complaint option, and judicial redress. Source: EUR‑Lex, Art. 12 GDPR.
• Supervision by authorities: in audits/reviews, authorities will check traceability (request log, assessment grid, evidence of abuse, reasoned decision, DPO oversight). The CNPD remains aligned with the EDPB; the ruling becomes a key judicial reference.

Practical examples (Luxembourg/Greater Region)

• Ex‑employee demanding “all communications mentioning me over 10 years, within 5 days, or pay €5,000”: potential excess if objectively disproportionate and used as a leverage for damages; seek clarification, propose a proportionate scope; refuse only if abuse is evidenced and reasoned.
• Customer submitting 50 identical template‑based requests in the same week, with no link to actual processing: manifest excess (repetitive, intent to overload).
• Targeted and legitimate request (medical file, HR data, security logs tied to an incident): not abusive; provide a full response, including relevant metadata, subject to others’ rights (Art. 15(4)).

Common pitfalls

1. Refusing “by default” broad requests. The ruling does not permit generic refusals; abuse must be proven case by case. Sources: EDPB 01/2022; CJEU Brillen Rottler (19.03.2026).
2. Failing to justify and inform. Articles 12(4) and 12(3) require providing reasons, redress information, and meeting the one‑month deadline. Source: EUR‑Lex, Art. 12 GDPR.
3. Equating “hard to process” with “abusive.” Operational burden alone is not abuse; clarify scope and, if needed, extend deadlines. Sources: EDPB 01/2022; EUR‑Lex, Art. 12(3).
4. Skipping identity verification. Where there is legitimate doubt (Art. 12(6)), request proportionate additional information. Source: EUR‑Lex, Art. 12(6) GDPR.
5. Overlooking third‑party rights. When providing a copy (Art. 15(3)), protect trade secrets and third‑party data (Art. 15(4)).

Official sources

• Court of Justice of the EU – Press release No 38/26 (19 March 2026)
• Court of Justice of the EU – InfoCuria, Case C‑526/24 (ECLI:EU:C:2026:216)
• EUR‑Lex – Regulation (EU) 2016/679 (GDPR), Articles 12 and 15
• EDPB – Guidelines 01/2022 on the right of access; EDPB news
• CNPD Luxembourg – Right of access

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.