Skip to content
Literature
EN

The Court of Justice on the Excessiveness of Access Requests under the GDPR

Sascha Hurst — European Journal of Risk Regulation

European Journal of Risk Regulation
DOI

Content

Abstract This case note comments on the preliminary ruling of the Court of Justice of the EU in Case C-526/24 Brillen Rottler v TC of 19 March 2026, which addresses the abuse of rights under the General Data Protection Regulation (GDPR), specifically in the context of requests for access to personal data under Article 15 GDPR and compensation under Article 82 GDPR. First, the Court held that even a first access request may be regarded as “excessive” where the controller demonstrates that it was not made to be aware of the data processing and verify its lawfulness, but with an abusive intention, such as artificially creating the conditions for a compensation claim. Publicly available information showing a pattern of repeated requests and claims to different controllers may be considered in this assessment. Second, the Court confirmed that a right to compensation can arise from an infringement of the right of access. Third, it clarified that non-material damage in those cases encompasses the loss of control over the personal data or the uncertainty about its processing, provided the data subject has actually suffered such damage and has not caused it through their own conduct. This note situates the judgment within the broader framework of case law on the abuse of rights and the recent Digital Omnibus proposal, and it outlines its practical significance for balancing the protection of the data subjects with the need to safeguard controllers against illegitimate claims.

Similar Content