Case C‑526/24

Brillen Rottler GmbH & Co. KG

v

TC

(Request for a preliminary ruling from the Amtsgericht Arnsberg)

 Judgment of the Court (Fourth Chamber) of 19 March 2026

( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 12(5) – Article 15(1) – Data subject’s right of access to the personal data concerning him or her – Controller’s right to refuse to act on the request for access – Excessive character of the request – Abuse of rights – First request for access – Right to compensation and liability – Article 82(1) – Action based on infringement of the right of access – Non-material damage – Loss of control over personal data )

1.        Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Data subject’s right of access to his or her data undergoing processing – Controller’s right to refuse to act on a request for access – Concept of excessive requests – First request for access – Criteria – Assessment of objective and subjective elements of an abusive practice – Abusive intention on the part of the data subject – Relevant evidence

(European Parliament and Council Regulation 2016/679, recitals 4, 10 and 11, and Arts 12(5), 15(1) and 57(4))

(see paragraphs 24-37, 39, 40, 42, 45, operative part 1)

2.        Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Right to compensation and liability – Right to compensation for the damage resulting from an infringement of the right of access to personal data – Limitation to damage resulting from the processing of personal data – None

(European Parliament and Council Regulation 2016/679, recitals 11, 141 and 146, and Arts 15(1) and 82(1))

(see paragraphs 48-55, operative part 2)

3.        Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Right to compensation and liability – Right to compensation for the damage suffered – Non-material damage – Concept – Loss of control over personal data or uncertainty as to whether those data have been processed – Included – Obligation of the data subject to prove the existence of damage – Causal link between the alleged infringement and the alleged damage broken by the data subject’s conduct – Conduct is the determining cause of the damage – No right to compensation

(European Parliament and Council Regulation 2016/679, recital 85 and Art. 82(1))

(see paragraphs 58-67, operative part 3)

Résumé

Ruling on a request for a preliminary ruling from the Amtsgericht Arnsberg (Local Court, Arnsberg, Germany), the Court of Justice clarifies the limits on the exercise of the right of access to personal data under Article 15 of the General Data Protection Regulation (1) in the event of an ‘abuse of rights’ and the conditions for the right to compensation under Article 82 of that regulation.

In 2023, TC, a private individual residing in Austria, subscribed to the newsletter of Brillen Rottler, a German optician company, by providing his personal data and consenting to the processing of those data. Shortly afterwards, he made a request to that company for access to those data. Although his request was refused by that company, which considered it to be abusive, TC nevertheless repeated it, adding a claim for compensation for the non-material damage that he claims to have suffered as a result of that company’s refusal to grant him access to his personal data. Brillen Rottler then brought an action before the referring court seeking a declaration that TC was not entitled to compensation, arguing that, according to publicly available information, TC systematically and abusively makes requests for access to various controllers for the sole purpose of obtaining compensation.

Harbouring doubts as to the relevant circumstances for the purpose of characterising a request for access as ‘excessive’ within the meaning of Article 12(5) of the GDPR, which allows the controller, inter alia, not to act on such a request, and as to the right to claim, on the basis of Article 82(1) of that regulation, compensation for the damage resulting from an infringement of the right of access, the referring court has referred the matter to the Court.

Findings of the Court

As regards the possibility of characterising a first request for access to personal data made by the data subject to the controller as ‘excessive’, within the meaning of Article 12(5) of the GDPR, the Court notes that that provision refers to the repetitive character of requests for access solely by way of example, so that such characterisation is not determined simply by the number of requests submitted by the same data subject. The excessive character of a request for access must therefore be assessed qualitatively, in order to determine whether it constitutes an abuse of rights.

The Court states that such an abuse exists where, despite formal observance of the conditions laid down for the exercise of the right of access to personal data within the meaning of Article 15 of the GDPR, there has been an abusive intention on the part of the data subject, in particular, where that data subject makes a request for access not for the purpose of asserting his or her rights under that regulation, but for another purpose, such as that of artificially creating the conditions laid down for obtaining an advantage from that regulation.

However, in so far as Article 12(5) of the GDPR establishes an exception to the obligation of controllers to facilitate data subjects’ right of access to their personal data, it must be interpreted restrictively. Thus, a controller may rely on the excessive character of a request for access only exceptionally, where it demonstrates, in the light of all the relevant circumstances of each case, that that request was made with an abusive intention. The fact that the data subject has made a large number of requests for access, followed by claims for compensation, to various controllers may also be taken into consideration in that regard.

As regards the interpretation of Article 82(1) of the GDPR, the Court finds, first, that that provision also confers on the data subject a right to compensation for the damage solely resulting from an infringement of the right of access provided for in Article 15(1) of that regulation. It notes that that Article 82(1) contains no reference to ‘processing’, so that, in order not to undermine the effectiveness of that right to compensation, that right cannot be limited to damage resulting from the processing of personal data as such. Such a limitation would exclude from the scope of that article damage caused by the infringement of certain rights provided for by that regulation, such as the right of access, the infringement of which results, in principle, from the refusal to act on a request with regard to the exercise of those rights, rather than from the actual processing of data.

Second, the Court provides clarification on the concept of ‘non-material damage’ suffered by the data subject within the meaning of Article 82(1) of the GDPR. It notes, in particular, that that concept encompasses the data subject’s loss of control over his or her personal data or his or her uncertainty as to the whether those data have been processed, provided that it is demonstrated, in particular, that the data subject actually suffered such damage and that his or her conduct was not the determining cause of that damage.

In that context, the Court states, after recalling that the causal link between the alleged infringement of the GDPR and the damage allegedly suffered by the data subject is a condicio sine qua non for a right to compensation under Article 82(1) of that regulation, that the causal link is broken by the data subject’s conduct where the loss of control over his or her personal data or the uncertainty as to whether those data have been processed was caused by the data subject’s decision to submit those data to the controller with the aim of artificially creating the conditions laid down for the application of that provision.

1      Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).