Provisional text

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 18 September 2025 (1)

Case C‑526/24

Brillen Rottler GmbH & Co. KG

(Request for a preliminary ruling from the Amtsgericht Arnsberg (Local Court, Arnsberg, Germany))

( Reference for a preliminary ruling – Regulation (EU) 2016/679 – Protection of personal data – Request for access, by the data subject, to personal data concerning him or her – Right of the controller to refuse to act on the request – Excessive character of the request – Abuse of rights – Right to compensation – Event giving rise to the damage )

I. Introduction

1. Where the legal order confers a subjective right on an individual, the exercise of that right must, as a matter of principle, be considered lawful. However, if the manner in which that right is exercised is not compatible with the objectives of the provision enshrining it, limits may be imposed by the legal order, in particular through the abuse of rights mechanism. (2)

2. In the same vein, there is, in EU law, a general legal principle that EU law cannot be relied on for abusive or fraudulent ends, which also applies in private law relationships. (3)

3. The present case concerns a specific expression of that principle in secondary law and, more specifically, in the context of the private enforcement of Regulation (EU) 2016/679 (4) (‘the GDPR’). The Court is asked to specify, inter alia, the limits to the exercise of the right of access and the right to compensation that a data subject invokes, in an allegedly abusive manner, against the controller, a company governed by private law.

II. European Union law: the GDPR

4. Recitals 10, 11, 60, 63, 141 and 146 of the GDPR state:

‘(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

(11) Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data …

…

(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. …

…

(63) A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. … Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. …

…

(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the [Charter of Fundamental Rights of the European Union] if the data subject considers that his or her rights under this Regulation are infringed …

…

(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. … Data subjects should receive full and effective compensation for the damage they have suffered. …’

5. Article 4(2) of that regulation defines ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

6. Article 12 of the GDPR, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, provides, in paragraphs 1 and 5:

‘1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject …

…

5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

…’

7. Article 15 of the GDPR, entitled ‘Right of access by the data subject’, provides, in paragraph 1:

‘The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data …’

8. Article 57 of the GDPR, entitled ‘Tasks’, provides, in paragraph 4 thereof:

‘Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.’

9. Article 79 of the regulation, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides, in paragraph 1:

‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. …’

10. Article 80 of the regulation, entitled ‘Representation of data subjects’, provides, in paragraph 2:

‘Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject's mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’

11. Article 82 of the regulation, entitled ‘Right to compensation and liability’, provides, in paragraphs 1 to 3:

‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.’

III. The dispute in the main proceedings, the questions referred and the procedure before the Court

12. In March 2023, TC, the defendant in the main proceedings, an individual living in Vienna (Austria), subscribed to the newsletter of Brillen Rottler GmbH & Co. KG (‘Brillen Rottler’), a family run optician company based in Arnsberg (Germany). He entered his personal data in the registration form on the company’s website and consented to the processing of those data. Thirteen days later, the defendant in the main proceedings sent an access request to Brillen Rottler under Article 15 of the GDPR.

13. Brillen Rottler rejected that request within the prescribed time limit, considering it unlawful under the terms of the second sentence of Article 12(5) of the GDPR, and asked the defendant in the main proceedings to abandon that request once and for all. The defendant maintained that access request and included a claim for damages under Article 82 of the GDPR, in the amount of EUR 1 000.

14. Brillen Rottler applied to the referring court seeking a declaration that the defendant in the main proceedings was not entitled to claim compensation. It argued that it was apparent from various online reports and lawyer blog posts that the defendant in the main proceedings was systematically and abusively making access requests for the sole purpose of obtaining compensation by alleging infringement of the GDPR. It further claimed that the defendant in the main proceedings was deliberately provoking those infringements using the same modus operandi: subscribing to a newsletter and then submitting an access request, followed by a claim for damages.

15. On 25 September 2023, the defendant lodged a counterclaim before the referring court seeking an order for Brillen Rottler to grant him access to information relating to the processing of his data and to pay him compensation under Article 82 of the GDPR for the non-material damage suffered. He argued that his right of access under Article 15 of that regulation may be exercised unconditionally and that he lawfully resided in Germany, so had a legitimate interest in subscribing to Brillen Rottler’s newsletter.

16. The referring court considers that, having regard to the principle of transparency of the processing of personal data, a limitation of the right of access in the case of an initial request should remain exceptional and that the fact that the applicant’s intention is subsequently to be able to obtain compensation for the damage cannot be a sufficient ground for refusal. According to the referring court, in view of the risk that the controller may abuse that right of refusal, reliance on public information demonstrating that the data subject has submitted a large number of requests cannot be sufficient, in itself, to justify the rejection of the access request.

17. As regards the right to compensation, the referring court considers that any infringement of the GDPR by the controller is likely to give rise to a right to compensation, even in the absence of data processing. The data subject is therefore also entitled to compensation, under Article 82(1) of the GDPR, for infringement of his right of access.

18. In those circumstances, the Amtsgericht Arnsberg (Local Court, Arnsberg, Germany) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Is the second sentence of Article 12(5) of the [GDPR] to be interpreted as meaning there cannot be an excessive [access] request from the data subject when the first request is made to the controller?

(2) Is the second sentence of Article 12(5) of the GDPR to be interpreted as meaning that the controller can refuse an [access] request from the data subject if the data subject intends to use the [access] request to provoke claims for damages against the controller?

(3) Is the second sentence of Article 12(5) of the GDPR to be interpreted as meaning that grounds for refusing to provide information can be provided by publicly available information about the data subject which suggests that the data subject is asserting claims for damages against the controller in a large number of cases of infringement of the law relating to the protection of personal data?

(4) Is Article 4(2) of the GDPR to be interpreted as meaning that an [access] request from a data subject to the controller pursuant to Article 15(1) of the GDPR and/or a response to that request constitutes processing within the meaning of Article 4(2) of the GDPR?

(5) In view of the first sentence of recital 146 of the GDPR, is Article 82(1) thereof to be interpreted as meaning that only damage which the data subject suffers or has suffered as a result of processing is eligible for compensation? Does this mean that for there to be a claim for damages under Article 82(1) of the GDPR – assuming causal damage to the data subject exists – there must necessarily have been processing of the data subject’s personal data?

(6) If the answer to Question 5 is in the affirmative: does this mean that the data subject – assuming causal damage exists – has no claim for compensation under Article 82(1) of the GDPR solely on the basis of an infringement of his or her right to information under Article 15(1) of the GDPR?

(7) Is Article 82(1) of the GDPR to be interpreted as meaning that the controller’s objection relating to an abuse of right in relation to an [access] request from the data subject cannot, in view of EU law, consist in the fact that the data subject brought about processing of his or her personal data solely or inter alia in order to assert claims for damages?

(8) If the answers to Questions 5 and 6 are in the negative: does the mere loss of control and/or uncertainty about the processing of the data subject’s personal data associated with an infringement of Article 15(1) of the GDPR constitute non-material damage to the data subject within the meaning of Article 82(1) of the GDPR or does it also require a further (objective or subjective) restriction and/or (significant) damage to the data subject?’

19. Brillen Rottler, the defendant in the main proceedings, and the European Commission submitted written observations and participated in the hearing held on 5 June 2025.

20. As requested by the Court, this Opinion will focus on the analysis of the first to seventh questions referred.

IV. Analysis

A. The first, second, third and seventh questions referred

1. Reformulation of the questions

21. By its first, second and third questions, which can, in my view, be dealt with together, the referring court wishes to know, in essence, whether an initial access request can be characterised as ‘excessive’, within the meaning of the second sentence of Article 12(5) of the GDPR, where the data subject has made it in order to subsequently be able to obtain compensation from the controller and where publicly available information indicates that, in the event of infringement of the law relating to the protection of personal data, the data subject asserted in a large number of cases his or her right to compensation against the controller.

22. By its seventh question, the referring court asks, in essence, whether Article 82(1) of the GDPR is to be interpreted as meaning that the fact that the data subject brought about processing of his or her personal data solely or inter alia in order to assert his or her right to compensation cannot be relied on by the controller to refuse the data subject’s access request on the ground of abuse of right.

23. Although that question formally concerns the interpretation of Article 82(1) of the GDPR, I do not believe that its purpose is to interpret the conditions of the right to compensation enshrined in that provision. It does not refer to any of those conditions, unlike the fourth, fifth, sixth and eighth questions referred, which relate specifically to that provision. As formulated, the seventh question referred seeks, in my opinion, to clarify whether a controller may invoke the excessive character of an access request, within the meaning of the second sentence of Article 12(5) of the GDPR, where the data subject’s intention is to ‘provoke’ the processing of his or her data in order to assert claims for damages.

24. Accordingly, it must be considered that, by the seventh question, the referring court is referring to the ‘modus operandi’ alleged by Brillen Rottler against the defendant in the main proceedings, namely the fact of consenting to the processing of his data by subscribing to a newsletter in order to be able to submit an access request, followed by a claim for damages. From that angle, that question concerns the interpretation of the second sentence of Article 12(5) of the GDPR, referred to in the first, second and third questions referred.

25. I therefore propose to deal with the first, second, third and seventh questions referred together as seeking to determine whether the second sentence of Article 12(5) of the GDPR should be interpreted as meaning that an initial access request, made under Article 15 of that regulation to a controller, can be characterised as ‘excessive’ where:

– the data subject has consented to the processing of his or her data in order to be able to submit that access request and then bring a claim for damages;

– it appears from publicly available information that, where there has been an infringement of the law relating to the protection of personal data, the data subject has in a large number of cases asserted his or her right to compensation against the controller.

2. Analysis

(a) The excessive character of an initial access request

26. According to the first sentence of Article 12(5) of the GDPR, ‘information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge’. As the Court held in the judgment in FT (Copies of medical records), (5) that provision establishes the principle that the exercise of the data subject’s right of access to his or her data undergoing processing and to the information relating thereto, under Article 15 of that regulation, is not to entail any cost for the data subject.

27. The second and third sentences of Article 12(5) of the GDPR lay down two grounds on which a controller may either charge a reasonable fee taking into account the administrative costs, or refuse to act on the access request: when it demonstrates that the data subject’s requests are ‘manifestly unfounded or excessive, in particular because of their repetitive character’.

28. It is thus clear from the wording of that provision that it is not only in the event of several requests being submitted that an access request may be considered ‘excessive’, since the repetitive character is mentioned solely by way of example.

29. Although it cannot, in my opinion, be ruled out that an initial access request may be considered excessive, I nevertheless share the referring court’s view that a controller may only claim such an excessive character in exceptional circumstances.

30. In the first place, in so far as the second sentence of Article 12(5) of the GDPR establishes an exception to the principle of the free-of-charge exercise of the right of access, the option for the controller to charge a reasonable fee or refuse to act on an access request must, according to a general principle of interpretation, (6) be interpreted strictly. (7)

31. In the second place, I note the fundamental importance of the right of access provided for in Article 15 of the GDPR to ensure the transparency of the manner in which personal data are processed and, therefore, the exercise of various other rights granted to data subjects by that regulation. (8) In addition, the second sentence of Article 8(2) of the Charter of Fundamental Rights enshrines the principle that ‘everyone has the right of access to data which has been collected concerning him or her’. Therefore, the exercise of the right of access must not be made subject to conditions which are overly strict. (9)

32. The right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred by Articles 16 to 18 of the GDPR, respectively, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the regulation, and his or her right to bring an action and right to compensation, laid down in Articles 79 and 82 of the regulation, respectively. (10)

33. In the third place, the exceptional nature of the right to charge a reasonable fee or to refuse to act on an access request under the second sentence of Article 12(5) of the GDPR is, in my view, consistent with the purpose of that regulation. As stated in recitals 10 and 11, the purpose of the regulation is to ensure a consistent and high level of protection of natural persons within the European Union and to strengthen and set out in detail not only the rights of data subjects, (11) but also the obligations of those who process and determine the processing of personal data.

34. In the light of the foregoing, I consider that there must be strict criteria for characterising an initial access request as ‘excessive’.

(b) The circumstances that allow a request to be characterised as ‘excessive’

35. It is clear from the judgment in FT (12) that the two grounds establishing an exception to the free-of-charge principle of, inter alia, the exercise of the right of access, relate to instances of ‘abuse of rights’.

36. However, the Court did not clarify the scope of that concept in the judgment. Indeed, it was common ground in that case that the data subject’s access request was not abusive. (13)

37. The background to the judgment in FT was a patient’s request to obtain, free of charge, from his dentist, an initial copy of his medical records with a view to triggering the liability of that medical professional on the grounds of alleged errors committed during treatment. (14) The patient’s completely legitimate intention was thus to obtain access to his data in order to be able to exercise, where applicable, the rights arising from the medical treatment contract in the event of medical errors. The Court concluded, on the basis of a literal, contextual and teleological interpretation of Article 12(5) and Article 15 of the GDPR, that there was no need to invoke one of the specific grounds justifying the access request mentioned in the first sentence of recital 63 of the regulation, that is to say, to become aware of the processing of the data and verify the lawfulness of that processing. (15)

38. Therefore, although the data subject cannot be required to give reasons for his or her access request, that does not mean that his or her intention is never taken into account.

39. Indeed, in the judgment in Österreichische Datenschutzbehörde, the Court held, on the basis of a literal, contextual and teleological interpretation of Article 57(4) of the GDPR, that the finding of the existence of excessive complaints requires it to be demonstrated, having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of the person who lodged the complaint with the supervisory authority. (16)

40. I note that Article 57(4) and the second sentence of Article 12(5) of the GDPR have the same wording and pursue the same objective, namely to provide for an exception to the free-of-charge principle applicable to the tasks carried out by the supervisory authorities and the exercise, inter alia, of the right of access by the data subject, respectively. Consequently, I consider that the interpretation contained in the previous point applies by analogy to the latter provision. (17)

41. It follows that, in order to rely on the option conferred, in the second sentence of Article 12(5) of the GDPR, to refuse to act on an excessive access request – or, as the case may be, to charge a reasonable fee – the controller must demonstrate, in accordance with the third sentence of that provision, in the light of all the relevant circumstances of each request, an abusive intention on the part of the data subject.

42. Abuse of rights is a mechanism that applies in the circumstances of the present case. Thus, it will be for the referring court to determine whether, taking into account the circumstances at issue in the present case, Brillen Rottler has demonstrated the excessive character of the access request made by the defendant in the main proceedings. (18)

43. By contrast, the Court’s interpretational task is to clarify whether certain circumstances fall within the generic legal concept of ‘excessive character’.

44. Specifically, the referring court enquires whether an initial access request can be considered excessive when, on the one hand, the data subject has a ‘modus operandi’ of consenting to the processing of his data and then lodging an access request solely – or inter alia – for the purpose of asserting claims for damages and when, on the other hand, it appears from publicly available information that, in the event of infringement of the law relating to the protection of personal data, the data subject has asserted in a large number of cases his or her right to compensation against the controller.

45. In that regard, the Court found, in the judgment in Österreichische Datenschutzbehörde, that Article 57(4) of the GDPR reflects the settled case-law on the general legal principle that EU law cannot be relied on for abusive or fraudulent ends. (19) That case-law provides for a two-part examination which requires, in order to establish the existence of an abusive practice, the combination of an objective element and a subjective element. (20) However, as I have already had the opportunity to explain, (21) when the aim pursued by the EU rules appears a priori to be achieved, it is expedient to begin by analysing not the objective element but the subjective element in order to determine what the intention of the data subject was. Given that Article 15 of the GDPR aims to guarantee access to the data being processed and the related information, that objective seems, in the present case, a priori to be achieved in so far as the defendant in the main proceedings has requested access to the data processed after subscribing to the Brillen Rottler newsletter.

46. In the judgment in Österreichische Datenschutzbehörde, the Court found, in order to interpret the concept of ‘excessive character’ of a complaint, that a finding of an abusive intention in the exercise of the right to complain may be made ‘if a person has lodged complaints in circumstances where it was not objectively necessary to do so in order to protect his or her rights under [the GDPR]’. (22) When a data subject submits a large number of complaints to the supervisory authority, the supervisory authority must demonstrate that ‘that number is not to be explained in terms of the data subject wishing to obtain protection of his or her rights under the GDPR, but in terms of some other purpose, unconnected with the protection of those rights’. (23)

47. Returning to the right of access and, in the first place, to the data subject’s intention to ‘provoke’ a right to compensation by submitting an access request, I note, as is apparent from recital 63 of the GDPR, that it may be entirely legitimate and consistent with the objectives pursued by Article 15 of the GDPR to submit, for example, an access request with the intention of verifying whether the controller has processed the data unlawfully. (24) In addition, as is apparent from point 32 of this Opinion, the right of access is necessary to enable the data subject to exercise also, where applicable, his or her right to compensation.

48. In the second place, I note that the grounds for the seventh question referred, as regards the data subject’s intention to ‘provoke’ the processing of his personal data solely – or inter alia – for the purpose of obtaining compensation, are very succinct. Those grounds mostly allude to the assumption that the data subject’s actual intention in consenting to the processing of his data would be to ‘detect’ an infringement of the GDPR by submitting an access request with a view to later asserting claims for damages.

49. Based on that assumption, it seems to me that, by submitting an access request after having consented to the processing of his data, the data subject does not wish to access those data or the information referred to in Article 15 of the GDPR, but to exploit the configuration – which is from the outset favourable to data subjects – of the rights and obligations arising from that regulation for purposes other than the protection of his data.

50. That may be the case, in particular, where the data subject’s intention is precisely to cause the controller to refuse the access request so that he may demand the immediate payment of compensation, potentially under the threat of bringing a claim for damages. Given those circumstances, such an intention would, in my opinion, be abusive and should not be protected under the GDPR. The examples of cases of abusive litigation cited in the guidelines of the European Data Protection Board also point in that direction. (25)

51. In the third place, as regards the fact that it appears from publicly available information that, in the event of infringement of the law relating to the protection of personal data, the data subject has asserted his right to compensation against the controller in a large number of cases, I consider that it is not sufficient, in itself and without further evidence, to demonstrate an abusive intention. Article 82 of the GDPR specifically confers the right to seek compensation for damage in the event of infringement of that regulation, such that the exercise of that right cannot be presumed to be abusive.

52. I note that the mere quantitative factor of the requests was also not considered by the Court, in the judgment in Österreichische Datenschutzbehörde, as a sufficient criterion for establishing an ‘excessive’ character. The Court reached that conclusion by interpreting that concept taking into account the specific context of the tasks carried out by the supervisory authorities to ensure a high level of protection of personal data. (26) The objective circumstances to be taken into consideration are therefore, in my view, not the same for complaints and access requests, the latter not being addressed to the supervisory authority.

53. In that regard, I note that the controller must demonstrate an abusive intention in the event of a dispute before a court or in the event of a complaint before the supervisory authority, that is to say after it has refused to act on the data subject’s request. However, it is the point at which the data subject sends the access request that the controller must assess whether the data subject’s intention is, where relevant, abusive.

54. Thus, in order to demonstrate, in the light of all the relevant circumstances of the case, the abusive intention of the data subject, the controller should be able to rely in particular on the subject of the access request, the time that has elapsed between the consent to the processing and that request, the quantity and nature of the personal data covered by that request and the activity in the context of which it processes the data, if any. (27)

55. In the light of the foregoing considerations, I propose that the answer to the first, second, third and seventh questions referred should be that the second sentence of Article 12(5) of the GDPR should be interpreted as meaning that:

– an initial access request, made under Article 15 of the GDPR to a controller, can be characterised as ‘excessive’ when the controller demonstrates, taking into account all the relevant circumstances of the case, an abusive intention on the part of the data subject, such an intention being found when that person has consented to the processing of his or her personal data to be able to submit that access request and then claim compensation;

– the mere fact that it appears from publicly available information that, in the event of infringement of the law relating to the right to protection of personal data, the data subject has asserted in a large number of cases his or her right to compensation against the controller, is not sufficient to characterise such a request as ‘excessive’.

B. The fourth, fifth and sixth questions referred

1. The order of analysis of the questions and their reformulation

56. I would point out, at the outset, that should the referring court find that the access request was excessive, within the meaning of the second sentence of Article 12(5) of the GDPR, Brillen Rottler would indeed be entitled not to act on that request. In that case, the argument of the defendant in the main proceedings alleging infringement of Article 15 of the GDPR in order to obtain a right to compensation under Article 82 of that regulation cannot be accepted.

57. That being so, by its fourth question, the referring court enquires whether Article 4(2) of the GDPR is to be interpreted as meaning that an access request from a data subject to the controller pursuant to Article 15(1) of the GDPR and/or a response to that request constitutes processing within the meaning of Article 4(2) of that regulation.

58. By its fifth question, the referring court asks, in essence, whether Article 82(1) of the GDPR is to be interpreted as meaning that only damage which the data subject suffers as a result of his personal data being processed is eligible for compensation. If so, the referring court enquires, by its sixth question, whether Article 82(1) of the GDPR confers on the data subject a right to compensation for the damage suffered solely because of the infringement of the right of access provided for in Article 15(1) of that regulation.

59. As for the fifth question referred, it is, in my opinion, the premiss of the fourth and sixth questions referred. Indeed, it is only in the event that the liability for damage under Article 82(1) of the GDPR is subject to the condition that that damage has been suffered ‘as a result of’ processing, as defined in Article 4(2) of that regulation, that it is important to clarify whether, in the event of infringement of the right of access enshrined in Article 15(1) of that regulation, that condition is met.

60. Therefore, I will first analyse the fifth question referred and then, if necessary, the fourth and sixth questions referred together, for the purpose of determining whether Article 82(1) of the GDPR should be interpreted as meaning that damage suffered as a result of infringement of the right of access is ‘caused by processing’ the data.

2. Analysis

(a) The event giving rise to the damage within the meaning of Article 82 of the GDPR

61. Under Article 82(1) of the GDPR, ‘any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. (28)

62. The Court has repeatedly interpreted that provision to the effect that mere infringement of the GDPR is not sufficient to confer a right to compensation on the data subject on that basis, since that right is subject to a combination of three cumulative conditions, namely the existence of material or non-material ‘damage’, an infringement of the provisions of that regulation and a causal link between that damage and that infringement. (29)

63. Nevertheless, the referring court has doubts regarding recital 146 of the GDPR, which states that the controller or processor should compensate any damage which a person may suffer as a result of processing that infringes that regulation. It should be noted that, as is often the case, (30) that recital is also reflected in the text of that regulation, namely Article 82(2) thereof, which provides, inter alia, that any controller involved in processing is liable for the damage caused by processing which infringes that regulation.

64. Furthermore, paragraph 3 of that provision provides that a controller, or processor depending on the circumstances, is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

65. The interpretation of those provisions is not without difficulties in understanding their relationship to each other and the scope of Article 82 of the GDPR.

66. Given the wording of Article 82 of the GDPR, it could be assumed that, unlike paragraph 1 of that article, any infringement of that regulation does not give rise to a right to compensation for the damage caused by that infringement, but that the damage must, more specifically, have been caused by data processing contrary to that regulation, as stated in paragraph 2 of that article.

67. That interpretation seems to me to be the one given by the Court in several judgments, beginning with the judgment in Österreichische Post (Non-material damage in connection with the processing of personal data). (31) However, in the cases that gave rise to those judgments, the data subjects’ data had actually been processed, such that the question of the need for processing that caused the damage was not relevant.

68. Still, the background, the objectives and the context of Article 82 of the GDPR prevents, in my view, a restrictive interpretation of the concept of ‘event giving rise’ to the damage as being data processing contrary to that regulation, and not any infringement of it.

69. In the first place, I note that the corresponding provision of Directive 95/46/EC, (32) namely Article 23 thereof, required Member States to provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to that directive is entitled to receive compensation from the controller for the damage suffered.

70. The EU legislature thus specified, in Article 82 of the GDPR, first, the nature of the damage suffered (material or non-material) and, second, introduced the liability of the processor, which did not feature in Article 23 of Directive 95/46.

71. If Article 82(1) of the GDPR were to be interpreted in the sense proposed in point 66 of this Opinion, that would imply that, in relation to that directive, the EU legislature has limited the scope of liability for damage in the GDPR to the sole unlawful act consisting in data processing in violation of that regulation. However, I believe that if the legislature had intended to reduce the level of data protection in the context of private enforcement under that regulation, this would be reflected more clearly in its text.

72. In the second place, compromising the level of protection would run counter to the GDPR’s objective of strengthening and clarifying the rights of data subjects, in particular by strengthening the tools for ensuring the effectiveness of its provisions of that regulation. (33)

73. Accordingly, the background and objective of Article 82 of the GDPR support, in my view, an interpretation of paragraph 2 of that article not as a limitation of paragraph 1, but as a complementary provision. To my mind, therefore, a right to compensation exists if the damage suffered results either from data processing that infringes that regulation, or from another infringement of the regulation, provided that the existence of such damage is demonstrated.

74. That interpretation is also compatible with the conclusion drawn by the Court from the combined reading of paragraphs 1 to 3 of Article 82 of the GDPR, in light of the context of that provision and the objectives pursued by that regulation, namely that that article provides for fault-based liability in which the burden of proof rests on the controller. (34) In so far as, in my opinion, Article 82(2) of the regulation supplements paragraph 1, the reference to that paragraph 2 by paragraph 3, which places the burden of proof on the controller, implicitly includes a reference to paragraph 1 as well. Thus, whether the damage results from an infringement of the GDPR or, more specifically, from processing contrary to that regulation, the same rules apply.

75. In the third place, that finding is supported by the fact that the Court has interpreted rather broadly other provisions of the GDPR which, like Article 82 of that regulation, appear in Chapter VIII thereof, entitled ‘Remedies, liability and penalties’, and which refer to an infringement of the rights conferred by that regulation ‘as a result of the processing’. As regards Article 80(2) of the regulation, which governs the standing to bring a representative action independently of any mandate conferred by the data subject, the Court interpreted that provision in the sense that it must be claimed that the infringement of the rights conferred by the GDPR ‘occurs in the course’ of the processing. (35)

76. Furthermore, Article 79(1) of the GDPR provides that each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under that regulation have been infringed as a result of the processing of his or her personal data in non-compliance with that regulation. According to the Court’s case-law, the practical arrangements for exercising that remedy must be established in accordance with the right to effective judicial protection, (36) as is also apparent from recital 141 of the regulation. The objective of effective judicial protection of the rights conferred by the GDPR militates, in my opinion, against a restrictive interpretation of the conditions for exercising that remedy, including the infringement of the data subject’s rights ‘as a result of processing’. (37)

77. In the light of the foregoing, I propose that the answer to the fifth question referred should be that Article 82(1) of the GDPR must be interpreted as meaning that the damage suffered by the data subject as a result of an infringement of that regulation is eligible for compensation, even if that damage was not caused by processing the data subject’s personal data.

(b) The concept of ‘processing’ for the purposes of the right to compensation

78. In view of my proposed answer to the fifth question referred, it is unnecessary to answer the fourth and sixth questions referred. However, should the Court choose not to adopt that interpretation and consider that the damage must necessarily have been caused by data processing that constitutes an infringement of the GDPR, I will examine to what extent the condition referred to in the fifth question referred (38) would be met in the event of infringement of the right of access in a situation such as that in the present case, in order to propose an answer to those two questions.

79. In the first place, I note that Article 2(1) of the GDPR provides that the regulation applies to the ‘processing’ of personal data. It is well established that that concept, defined in Article 4(2) of the GDPR as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means’, has a broad scope. (39)

80. In the second place, given the broad scope of that concept, in the vast majority of cases, the question whether an infringement of the GDPR triggering liability, under Article 82 thereof, results from the processing of personal data does not, in my view, even arise. However, that conclusion is not obvious as regards the infringement of the right of access under Article 15(1) of that regulation.

81. As a reminder, Article 15(1) of the GDPR provides for the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to those data and the information listed in that provision. In addition, recital 60 of that regulation states that the principle of fair and transparent processing requires that the data subject be informed of the existence of the processing operation and its purposes.

82. It follows that Article 15 of the GDPR aims, as the Commission submits, in essence, to enable the data subject to obtain information on the processing or otherwise of his or her personal data by the controller. Therefore, the fact of sending a request for access to such data to the controller does not constitute ‘processing’ under the GDPR, as defined in Article 4(2) thereof.

83. In the third place, I should point out that the present case concerns the refusal of the controller, who manages the newsletter to which the defendant in the main proceedings has subscribed, to act on the defendant’s access request. In order to respond (affirmatively or negatively) to such a request, the controller necessarily uses certain personal data of the applicant, and at the very least a physical or electronic address or a telephone number (in the event of a response by telephone/fax) associated with his name. The use of such data constitutes a separate processing operation to which the GDPR applies. (40)

84. However, I believe that any damage would be caused not by processing the data in order to notify the refusal, but the unjustified refusal to act on the access request.

85. As the Commission rightly argues, the legal protection of the right of access, which is of structural importance in the GDPR system, would therefore be significantly curtailed if such an infringement of the right of access could not give rise to a right to compensation.

86. Accordingly, in order to safeguard the objectives pursued by the GDPR, set out in points 33 and 72 of this Opinion, and to ensure the effectiveness of the right of access, I consider that, if it is necessary, the condition stipulated in Article 82(2) of that regulation, relating to the processing that caused the damage, must be interpreted broadly. Such a solution would amount to a broad concept of causation, within the meaning of Article 82 of the regulation. One argument supporting that interpretation is that, in the context of remedies, a restrictive interpretation of the conditions for exercising such remedies would run counter to the objective of effective judicial protection of the rights conferred by the GDPR. (41)

87. As regards my proposed interpretation of the term ‘event giving rise’, I note that it in no way prejudges the other conditions required to assert, in the event of infringement of Article 15 of the GDPR, a right to compensation under Article 82 of that regulation. Specifically, a data subject affected by an infringement of the GDPR which has had negative consequences for him or her is required to demonstrate that those consequences constitute non-material damage, within the meaning of Article 82 of that regulation, since the mere infringement of the provisions thereof is not sufficient to confer a right to compensation. (42)

88. Furthermore, my proposed answer to the fifth question referred will also require an answer to the eighth question referred, which concerns non-material damage to be compensated owing to the loss of control over personal data as a result of an infringement of Article 15(1) of the GDPR or the existence of uncertainty about the processing of such data.

89. In that regard, I wish to observe – even though the eighth question referred is not the subject of this Opinion – that the Court has held on numerous occasions that the loss of control over personal data, even for a short period of time, may constitute non-material damage, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, provided that the data subject can show that he or she has actually suffered such damage, (43) without a ‘de minimis threshold’ being required. (44)

90. However, the Court has also held that, where damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that that compensation is such as to compensate in full for the damage suffered. (45)

91. In the present case, the defendant in the main proceedings seeks the payment of compensation of EUR 1 000 for the non-material damage suffered which, according to him, results from the alleged loss of control over the personal data that he entered in the registration form for the Brillen Rottler newsletter 13 days before the access request was made. It is for the referring court to assess whether the defendant in the main proceedings has demonstrated that any such infringement of the right of access has had negative consequences for him and that those consequences constitute non-material damage within the meaning of Article 82 of the GDPR.

V. Conclusion

92. In the light of all the foregoing considerations, I propose that the Court of Justice answer the first to seventh questions referred for a preliminary ruling by the Amtsgericht Arnsberg (Local Court, Arnsberg, Germany) as follows:

(1) The second sentence of Article 12(5) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC,

must be interpreted as meaning that:

– an initial access request, made under Article 15 of Regulation 2016/679 to a controller, can be characterised as ‘excessive’ when the controller demonstrates, taking into account all the relevant circumstances of the case, an abusive intention on the part of the data subject, which may be established when that person has consented to the processing of his or her personal data to be able to submit that access request and then claim compensation;

(2) Article 82(1) of Regulation 2016/679

must be interpreted as meaning that damage suffered by the data subject as a result of an infringement of that regulation is eligible for compensation, even if that damage was not caused by processing the data subject’s personal data.

1 Original language: French.

2 See Basedow, J., EU Private Law – Anatomy of a Growing Legal Order, Intersentia, Cambridge, 2021, paragraphs 98 and 99.

3 See, by way of example, in the field of consumer credit agreements, judgment of 21 December 2023, BMW Bank and Others (C‑38/21, C‑47/21 and C‑232/21, EU:C:2023:1014, paragraphs 280 to 282 and the case-law cited).

4 Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).

5 Judgment of 26 October 2023 (C‑307/22, ‘judgment in FT’, EU:C:2023:811, paragraph 31).

6 See, to that effect, judgment of 30 April 2025, Generalstaatsanwaltschaft Frankfurt am Main (Export of cash to Russia) (C‑246/24, EU:C:2025:295, paragraph 27 and the case-law cited).

7 See, by analogy, as regards Article 57(4) of the GDPR, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests) (C‑416/23, ‘judgment in Österreichische Datenschutzbehörde’, EU:C:2025:3, paragraphs 33 and 48).

8 See, to that effect, judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501, paragraph 59).

9 See, to that effect, Opinion of Advocate General Richard de la Tour in Österreichische Datenschutzbehörde (Excessive requests) (C‑416/23, EU:C:2024:701, point 62).

10 Judgment of 27 February 2025, Dun & Bradstreet Austria and Others (C‑203/22, EU:C:2025:117, paragraph 54 and the case-law cited).

11 See, to that effect, judgments in FT (paragraph 47) and in Österreichische Datenschutzbehörde (paragraph 38).

12 Paragraph 31.

13 Paragraphs 31 and 32.

14 Paragraphs 18 and 23.

15 Judgment in FT (paragraphs 35 to 51, in particular, paragraphs 38, 43, 50 and 51). The Court confirmed that interpretation in the order of 27 May 2024, Addiko Bank (C‑312/23, EU:C:2024:458), concerning a bank’s refusal to send its customers – some of whom were considering lodging a complaint or bringing a legal action against the bank – copies of their credit documentation.

16 See, to that effect, judgment in Österreichische Datenschutzbehörde (paragraph 50).

17 The Court has already applied by analogy, in paragraph 48 of the judgment in Österreichische Datenschutzbehörde, the interpretation adopted in paragraph 31 of the judgment in FT.

18 See, regarding the reference to the national court, judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data) (C‑154/21, EU:C:2023:3, paragraph 50).

19 Judgment in Österreichische Datenschutzbehörde (paragraph 49).

20 See, for example, in private law cases, judgments of 21 December 2023, BMW Bank and Others (C‑38/21, C‑47/21 and C‑232/21, EU:C:2023:1014, paragraphs 284 and 285 and the case-law cited), and of 19 September 2024, Matmut (C‑236/23, EU:C:2024:761, paragraph 54).

21 See my Opinion in Matmut (C‑236/23, EU:C:2024:560, point 67).

22 Judgment in Österreichische Datenschutzbehörde (paragraph 50).

23 See, to that effect, judgment in Österreichische Datenschutzbehörde (paragraph 56).

24 See, inter alia, judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF (C‑487/21, EU:C:2023:369, paragraphs 33 to 35).

25 Namely, when data subjects make excessive use of the right of access with the only intent of causing damage or harm to the controller or when an individual makes a request, but at the same time offers to withdraw it in return for some form of benefit from the controller; see Guidelines 01/2022 on data subject rights – Right of access, version 2.1, adopted on 28 March 2023, https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf, paragraphs 188 and 190.

26 See, to that effect, judgment in Österreichische Datenschutzbehörde (paragraphs 51 to 57).

27 See, also, examples in the European Data Protection Board Guidelines 01/2022 on data subject rights – Right of access, version 2.1, adopted on 28 March 2023, https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf, paragraphs 13, 185, 188 and 190.

28 Emphasis added.

29 See, to that effect, judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data) (C‑300/21, EU:C:2023:370, paragraphs 32 to 34), and, most recently, of 4 October 2024, Patērētāju tiesību aizsardzības centrs (C‑507/23, EU:C:2024:854, paragraph 24).

30 See, in that regard, my Opinion in Joined Cases X and Visser (C‑360/15 and C‑31/16, EU:C:2017:397, paragraph 132).

31 In paragraph 36 of the judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data)) (C‑300/21, EU:C:2023:370), the Court held that ‘Article 82(2) of the GDPR, which specifies the rules on liability – the principle of which is established in paragraph 1 of that article – reproduces the three conditions necessary to give rise to the right to compensation, namely processing of personal data that infringes the provisions of the GDPR, damage suffered by the data subject, and a causal link between that unlawful processing and that damage’ (emphasis added). That interpretation was reproduced in paragraph 159 of the judgment of 4 October 2024, Agentsia po vpisvaniyata (C‑200/23, EU:C:2024:827). See also judgment of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022, paragraphs 92 to 97), which does not seem to distinguish between an infringement of the GDPR and processing that constitutes an infringement of that regulation.

32 Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

33 See, to that effect, Opinion of Advocate General Campos Sánchez-Bordona in Österreichische Post (Non-material damage in connection with the processing of personal data) (C‑300/21, EU:C:2022:756, paragraph 41).

34 Judgment of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022, paragraphs 94 and 95).

35 See judgment of 11 July 2024, Meta Platforms Ireland (Representative action) (C‑757/22, EU:C:2024:598, paragraphs 40 and 42 and 59 to 64), in which the Court interpreted the requirement of an infringement of the rights of the data subject ‘as a result of the processing’ in the light of the preventive function of the representative action. See also judgment of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data) (C‑300/21, EU:C:2023:370, paragraph 39), according to which ‘Articles 77 and 78 of the GDPR, contained [in Chapter VIII], provide for legal remedies before or against a supervisory authority, in case of an alleged infringement of that regulation …’.

36 See, most recently, judgment of 30 April 2025, Inspektorat kam Visshia sadeben savet (C‑313/23, C‑316/23 and C‑332/23, EU:C:2025:303, paragraph 136 and the case-law cited).

37 See, to that effect, Martini, M., ‘Article 79’, DSGVO BDSG, in Paal, B.P., and Pauly, D.A. (eds), 3rd edition, Munich, 2021, paragraph 22a.

38 Namely, the condition that the data subject’s personal data has been processed.

39 See, most recently, judgment of 3 April 2025, Ministerstvo zdravotnictví (Data concerning the representative of a legal person) (C‑710/23, EU:C:2025:231, paragraph 27).

40 As the referring court and the Commission have rightly pointed out, the processing of the data subject’s personal data for the purpose of responding to an information request made under Article 15 of the GDPR would be lawful, within the meaning of Article 6(1)(c) and Article 6(3) of that regulation, whether or not the controller has already processed that person’s data. Such processing is indeed necessary, within the meaning of the abovementioned provisions, to comply with a legal requirement to which the controller is subject under EU law.

41 See, with regard to Article 79 of the GDPR, Martini, M., ‘Article 79’, DSGVO BDSG, in Paal, B.P., and Pauly, D.A. (eds.), 3rd edition, Munich, 2021, paragraph 22a.

42 Judgment of 4 October 2024, Agentsia po vpisvaniyata (C‑200/23, EU:C:2024:827, paragraph 142 and the case-law cited).

43 See, inter alia, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data) (C‑300/21, EU:C:2023:370, paragraphs 32 to 36); of 20 June 2024, PS (Incorrect address) (C‑590/22, EU:C:2024:536, paragraph 33); and of 4 September 2025, Quirin Privatbank (C‑655/23, EU:C:2025:655, paragraphs 62 and 64).

44 See, to that effect, judgments of 14 December 2023, Gemeinde Ummendorf (C‑456/22, EU:C:2023:988, paragraph 18); of 20 June 2024, Scalable Capital (C‑182/22 and C‑189/22, EU:C:2024:531, paragraph 44); and of 4 October 2024, Agentsia po vpisvaniyata (C‑200/23, EU:C:2024:827, paragraph 149).

45 Judgment of 20 June 2024, Scalable Capital (C‑182/22 and C‑189/22, EU:C:2024:531, paragraph 46).