← All articles

consultant

GDPR: first access request may be refused for abuse (CJEU 19/03/2026)

The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.

GDPR right of access: the CJEU allows refusal for “abuse” (19 March 2026)

The CJEU (19 March 2026, C‑526/24 Brillen Rottler) holds that a first access request (Art. 15 GDPR) may be refused if it is “abusive” within the meaning of Article 12(5). Key takeaway: document abusive intent and apply a two‑pronged proportionality test.

The case

On 19 March 2026, the Court of Justice of the European Union (CJEU) delivered judgment C‑526/24 Brillen Rottler GmbH & Co. KG v TC. Asked by the Amtsgericht Arnsberg (Germany), the Court clarified whether a controller may refuse a first access request under Articles 15 and 12(5) GDPR where it is “manifestly unfounded or excessive,” including in case of abuse of rights. The CJEU answered yes: “a first access request may, in certain circumstances, already be considered ‘excessive’” if it pursues a purpose unrelated to information and verification of processing lawfulness, e.g., to artificially create conditions for a damages claim (Art. 82 GDPR). Official sources: CJEU press release No 38/26 of 19/03/2026 and the judgment (ECLI:EU:C:2026:216). Links: https://curia.europa.eu/site/upload/docs/application/pdf/2026-03/cp260038en.pdf and https://juris.curia.europa.eu/juris/document/document.jsf?docid=310067&doclang=EN. (curia.europa.eu) (juris.curia.europa.eu)

Damages and penalties were not at stake: this is an interpretation ruling. The Court links Article 12(5) GDPR (requests “manifestly unfounded or excessive”) with Article 82 (right to compensation) and sets a two‑limb test (objective elements + subjective intent) to qualify abuse. Useful extract (free translation): establishing abusive practice requires i) objective circumstances showing that, despite formal compliance with GDPR conditions, the purpose of the rule is not achieved; and ii) a subjective element consisting of the intention to obtain an advantage by artificially creating the conditions for application. See the summary in §36 of the judgment (link above). (ipcuria.eu)

Legal reasoning

What this changes in practice

  • Refusal is possible but tightly framed: you may refuse a first access request only if you can demonstrate “abuse” per the CJEU + Art. 12(5). Example: a DSAR sent thirteen days after a minor incident, before any interaction, threatening a standardized damages action and refusing to specify the data sought; public elements show a “pattern” of identical requests to monetize Article 82. In such case, a proportionate, reasoned refusal can be justified after attempting clarification. (juris.curia.europa.eu)
  • Evidence method: maintain a complete DSAR file: timestamped log, clarification exchanges (Arts. 12(6) and 12(5)), ID verification, test extraction, third‑party rights analysis (Art. 15(4)), “manifestly unfounded/excessive” grid. Where appropriate, refer to data already provided or safely accessible per EDPB 01/2022 (edpb.europa.eu). A structured DPO mandate helps secure templates and records.
  • CNPD/EDPB alignment: CNPD expects a reasoned response within one month, including redress avenues. Undocumented or boilerplate refusals are weak under CNPD scrutiny or litigation. For a Luxembourg lens, consult our GDPR Luxembourg overview.
  • Security interactions: mass post‑incident access requests can disrupt investigation. The CJEU does not allow a general freeze of the access right, but it opens the door to excluding instrumental requests aimed solely at forcing fault recognition. Document security measures (Art. 32), record investigation status, and provide information without compromising security or third‑party rights (edpb.europa.eu). Support from an outsourced CISO can balance access and evidence integrity.

Common pitfalls

  1. Copy‑paste reasons without case‑by‑case testing. Mere suspicion of bad faith is insufficient. Perform a formal two‑step test (objective elements + intent) and keep it on file. (juris.curia.europa.eu)
  2. Confusing “clarification” with “obstruction”. Targeted clarification is legitimate (EDPB 01/2022), but demanding unreasonable details or imposing exclusive forms may breach Article 12(2). (edpb.europa.eu)
  3. Forgetting third‑party rights (Art. 15(4)). Sharing raw logs or documents without redaction can breach others’ confidentiality. Apply proportionate filtering and explain it. CNPD/EDPB emphasize this. (cnpd.public.lu)
  4. Equating “repetitive” with “excessive”. The CJEU states “excessive” is not limited to repetition. A second request may remain legitimate (data updates, scope expansion). (juris.curia.europa.eu)
  5. Refusing without offering alternatives. Even where abuse is established, indicate redress avenues (Art. 12(4)), items already provided, and — where relevant — offer restricted access protecting third parties. EDPB 01/2022 stresses transparency. (edpb.europa.eu)

Official sources

Takeaway for Luxembourg

As of 19 March 2026, a refusal of access may be lawful even for a first request if you can prove abuse as defined by the CJEU. The evidentiary and reasoning standard remains high. DPOs and leadership should update DSAR procedures (register, “abuse/excessive” checklist, response templates) to balance protection against instrumentalization with rigorous respect for the right of access. Our DPO support in Luxembourg can help secure these updates.

Contact

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →