GDPR: first access request may be refused for abuse (CJEU 19/03/2026)
The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.
GDPR right of access: the CJEU allows refusal for “abuse” (19 March 2026)
The CJEU (19 March 2026, C‑526/24 Brillen Rottler) holds that a first access request (Art. 15 GDPR) may be refused if it is “abusive” within the meaning of Article 12(5). Key takeaway: document abusive intent and apply a two‑pronged proportionality test.
The case
On 19 March 2026, the Court of Justice of the European Union (CJEU) delivered judgment C‑526/24 Brillen Rottler GmbH & Co. KG v TC. Asked by the Amtsgericht Arnsberg (Germany), the Court clarified whether a controller may refuse a first access request under Articles 15 and 12(5) GDPR where it is “manifestly unfounded or excessive,” including in case of abuse of rights. The CJEU answered yes: “a first access request may, in certain circumstances, already be considered ‘excessive’” if it pursues a purpose unrelated to information and verification of processing lawfulness, e.g., to artificially create conditions for a damages claim (Art. 82 GDPR). Official sources: CJEU press release No 38/26 of 19/03/2026 and the judgment (ECLI:EU:C:2026:216). Links: https://curia.europa.eu/site/upload/docs/application/pdf/2026-03/cp260038en.pdf and https://juris.curia.europa.eu/juris/document/document.jsf?docid=310067&doclang=EN. (curia.europa.eu) (juris.curia.europa.eu)
Damages and penalties were not at stake: this is an interpretation ruling. The Court links Article 12(5) GDPR (requests “manifestly unfounded or excessive”) with Article 82 (right to compensation) and sets a two‑limb test (objective elements + subjective intent) to qualify abuse. Useful extract (free translation): establishing abusive practice requires i) objective circumstances showing that, despite formal compliance with GDPR conditions, the purpose of the rule is not achieved; and ii) a subjective element consisting of the intention to obtain an advantage by artificially creating the conditions for application. See the summary in §36 of the judgment (link above). (ipcuria.eu)
Legal reasoning
- Primary legal basis: Article 12(5) GDPR allows controllers to refuse a request where it is “manifestly unfounded or excessive.” The CJEU clarifies that “excessive” may stem from abuse of rights, even for a first request. Related: Article 15 (right of access) and Article 82 (right to compensation). Consolidated text: https://eur-lex.europa.eu/eli/reg/2016/679/oj. For an overview, see our GDPR reference.
- Abuse test set by the CJEU: combination of objective factors (transparency/control purpose not achieved) and subjective intent (aim to gain undue advantage, e.g., to artificially prepare non‑material damage). Parallel litigation or multiple prior requests alone is insufficient; assess context, timeline, and purpose. (juris.curia.europa.eu)
- EDPB reference: Guidelines 01/2022 “Right of access” (final 28 March 2023) already frame Article 12(5): “excessive” is not limited to repetition; the controller may seek clarification, verify identity, and must document its assessment. The EDPB insists refusals must be restrictive and that deliberate nuisance may evidence abuse. Guidelines: https://www.edpb.europa.eu/documents/guideline/guidelines-012022-on-data-subject-rights-right-of-access_en.
- CNPD position: Luxembourg CNPD recalls the access right’s purpose (information, oversight) and provides practical tools and a template letter. It points to the one‑month deadline (Art. 12(3)), limitations (third‑party rights, Art. 15(4)) and the EDPB framework. See https://cnpd.public.lu/fr/particuliers/vos-droits/droit-acces.html and https://cnpd.public.lu/fr/actualites/national/2024/04/fiche-droit-acces.html.
What this changes in practice
- Refusal is possible but tightly framed: you may refuse a first access request only if you can demonstrate “abuse” per the CJEU + Art. 12(5). Example: a DSAR sent thirteen days after a minor incident, before any interaction, threatening a standardized damages action and refusing to specify the data sought; public elements show a “pattern” of identical requests to monetize Article 82. In such case, a proportionate, reasoned refusal can be justified after attempting clarification. (juris.curia.europa.eu)
- Evidence method: maintain a complete DSAR file: timestamped log, clarification exchanges (Arts. 12(6) and 12(5)), ID verification, test extraction, third‑party rights analysis (Art. 15(4)), “manifestly unfounded/excessive” grid. Where appropriate, refer to data already provided or safely accessible per EDPB 01/2022 (edpb.europa.eu). A structured DPO mandate helps secure templates and records.
- CNPD/EDPB alignment: CNPD expects a reasoned response within one month, including redress avenues. Undocumented or boilerplate refusals are weak under CNPD scrutiny or litigation. For a Luxembourg lens, consult our GDPR Luxembourg overview.
- Security interactions: mass post‑incident access requests can disrupt investigation. The CJEU does not allow a general freeze of the access right, but it opens the door to excluding instrumental requests aimed solely at forcing fault recognition. Document security measures (Art. 32), record investigation status, and provide information without compromising security or third‑party rights (edpb.europa.eu). Support from an outsourced CISO can balance access and evidence integrity.
Common pitfalls
- Copy‑paste reasons without case‑by‑case testing. Mere suspicion of bad faith is insufficient. Perform a formal two‑step test (objective elements + intent) and keep it on file. (juris.curia.europa.eu)
- Confusing “clarification” with “obstruction”. Targeted clarification is legitimate (EDPB 01/2022), but demanding unreasonable details or imposing exclusive forms may breach Article 12(2). (edpb.europa.eu)
- Forgetting third‑party rights (Art. 15(4)). Sharing raw logs or documents without redaction can breach others’ confidentiality. Apply proportionate filtering and explain it. CNPD/EDPB emphasize this. (cnpd.public.lu)
- Equating “repetitive” with “excessive”. The CJEU states “excessive” is not limited to repetition. A second request may remain legitimate (data updates, scope expansion). (juris.curia.europa.eu)
- Refusing without offering alternatives. Even where abuse is established, indicate redress avenues (Art. 12(4)), items already provided, and — where relevant — offer restricted access protecting third parties. EDPB 01/2022 stresses transparency. (edpb.europa.eu)
Official sources
- CJEU — Press release No 38/26 (19 March 2026), C‑526/24 Brillen Rottler: https://curia.europa.eu/site/upload/docs/application/pdf/2026-03/cp260038en.pdf
- CJEU — Judgment of 19 March 2026, C‑526/24 (ECLI:EU:C:2026:216): https://juris.curia.europa.eu/juris/document/document.jsf?docid=310067&doclang=EN
- EDPB — Guidelines 01/2022 on data subject rights – Right of access (final 28 March 2023): https://www.edpb.europa.eu/documents/guideline/guidelines-012022-on-data-subject-rights-right-of-access_en
- CNPD Luxembourg — Right of access (info page and practical sheet): https://cnpd.public.lu/fr/particuliers/vos-droits/droit-acces.html and https://cnpd.public.lu/fr/actualites/national/2024/04/fiche-droit-acces.html
Takeaway for Luxembourg
As of 19 March 2026, a refusal of access may be lawful even for a first request if you can prove abuse as defined by the CJEU. The evidentiary and reasoning standard remains high. DPOs and leadership should update DSAR procedures (register, “abuse/excessive” checklist, response templates) to balance protection against instrumentalization with rigorous respect for the right of access. Our DPO support in Luxembourg can help secure these updates.
Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →