CJEU (19 March 2026): access may be refused if abusive

In Brillen Rottler (C‑526/24, 19 March 2026), the CJEU accepts that a first data access request (Article 15 GDPR) may be refused under Article 12(5) if it is “abusive”, i.e., submitted solely to obtain compensation, without any informational or verification purpose. The Court also reiterates that compensation (Article 82) requires a violation, damage, and causation.

Official sources: CJEU press release No 38/26 (FR) • Press release (EN) • InfoCuria case file C‑526/24.

The case

Following a commercial dispute, an individual sent a data access request to Brillen Rottler GmbH & Co. KG (optician, DE) and then claimed damages for “loss of control”. Referred by the Amtsgericht Arnsberg, the CJEU held that a purely compensation‑driven request can be deemed abusive and refused under Article 12(5) GDPR. The Court also reaffirms that a mere infringement is insufficient for Article 82 (see CJEU, C‑300/21, Österreichische Post).

Legal reasoning

• GDPR basis. The right of access (Art. 15) is implemented via Art. 12, which allows refusal where requests are “manifestly unfounded or excessive” (Art. 12(5)). Full text: EUR‑Lex — GDPR.
• Abuse notion. Exclusively seeking monetary advantage, without any informational or oversight purpose, may constitute abuse, rendering the request “manifestly unfounded” under Art. 12(5). The controller bears the burden to evidence and justify the refusal (Arts. 5(2) and 24).
• Compensation (Art. 82). Compensation requires cumulatively: (i) a GDPR infringement, (ii) damage, including non‑material, and (iii) causation. A mere infringement does not suffice (C‑300/21, 4 May 2023).
• Alignment with EDPB. EDPB Guidelines 01/2022 and the 2024 coordinated enforcement stress one‑month responses without undue delay, proportionate identification, and reasoned refusals. See EDPB — Guidelines 01/2022 and EDPB — CEF 2024.
• CNPD position. CNPD explains the right of access, limitations, and provides templates, notably in its 2024 practical sheet: Right of access (FR) and Practical sheet (04/2024).

What changes in practice

1. Filtering instrumentalised requests. There is case‑law support to refuse requests aimed solely at triggering compensation. Assess context (timeline, templated wording, lack of interest in information) and, where needed, seek clarifications (Art. 12(6)). To industrialise this flow, a certified DPO mandate helps structure analysis and responses.
2. Reasoning and traceability. A refusal under Art. 12(5) must be evidence‑based, explain reasons, and state redress routes (complaint to CNPD — Art. 77; judicial remedy — Art. 79).
3. Damages calibration. Litigation requires showing damage and causation. Organisations should log processing, retain proof of completeness and timing, and document any limitation. For the legal backbone, review GDPR Articles 12, 15 and 82.

Illustrations

• Financial services (Luxembourg/PSF): copy‑paste requests post‑pricing dispute seeking to “establish a breach and claim €500”. Process: acknowledge receipt, ask for scope clarification, then issue a reasoned refusal if the solely compensatory intent is evidenced (Art. 12(5)) and inform the CNPD.
• Cross‑border HR: “all emails where my name appears since 2016” plus “I’ll claim damages if you’re late”. Response: proportionate scope (EDPB §§153‑173), targeted access, third‑party redaction, reasoned restrictions, and avoid labelling “abusive” if the goal remains informational.

Common pitfalls

1. Refusing too quickly without a file. The CJEU targets the exclusively compensatory intent. Without objective indicators, refusal is weak (Art. 12(5); C‑526/24).
2. Missing the one‑month deadline. Extensions (+2 months) are possible but must be notified (EDPB 01/2022).
3. Weak identity verification. Art. 12(6) requires proportionate checks; failure can cause third‑party disclosure and compensation risk (Art. 82).
4. Refusing without alternatives. Even under suspected abuse, propose scope clarification, on‑site consultation, or limit to data provided by the requester (EDPB §§164‑173).
5. Omitting redress information. Always state complaint to CNPD (Art. 77) and judicial remedy (Art. 79).

What to implement now

• Access‑right decision tree aligned with EDPB/CJEU: intake and logging, identity check, scope clarification, extraction/copy, legal restrictions, abuse/manifestly unfounded test, reply within one month, and redress information. A Luxembourg GDPR framework supports operational rollout.
• Evidence file for “abuse of right”: objective indicators, correspondence retention, internal review report, DPO advice.
• Data governance and security: data mapping, tooling for extraction, third‑party masking, evidence vault (Art. 32). Our outsourced CISO services can structure logging and controls.
• Deadline monitoring: register and a “time‑to‑access” KPI, aligned with EDPB/CNPD coordinated enforcement (CEF 2024).

Official sources

• CJEU — Press release No 38/26, 19 March 2026 (Brillen Rottler, C‑526/24): FR • EN ; InfoCuria file: C‑526/24
• GDPR (EUR‑Lex), Articles 12, 15 and 82: EUR‑Lex
• CJEU — Österreichische Post (C‑300/21), 4 May 2023, press release: link
• EDPB — Guidelines 01/2022 Right of access (17/04/2023): link
• EDPB — CEF 2024: link
• CNPD — Right of access (FR): link ; Practical sheet (2024): link

Local note: CNPD expects an operational, traceable and proportionate implementation of the access right. The 19 March 2026 CJEU judgment does not curtail the right; it frames instrumentalised requests only — to be used with strict evidentiary rigor.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.