The Court of Justice of the European Union (CJEU) ruled on Apr. 15 that organizations may refuse a person’s very first data subject access request under Article 15 of the General Data Protection Regulation (GDPR) if they can prove, to a high evidential standard, that the request was made with abusive intent. The decision addresses how companies should handle requests that appear to be driven by compensation claims rather than genuine concerns about personal data.
This ruling is significant for organizations dealing with large numbers of data subject access requests (DSARs), especially those facing what seem to be systematic or compensation-driven activities. It provides guidance on when such requests may justifiably be refused but also sets strict conditions for doing so.
The case involved Brillen Rottler, an opticians practice in Germany, which denied a DSAR from an individual known as TC. The company argued TC had a pattern: subscribing to newsletters, submitting DSARs, and then seeking compensation if requests were not fulfilled. The CJEU clarified that even a first DSAR could be considered “excessive” if there is clear evidence it was made with an abusive purpose rather than to exercise GDPR rights. However, “the exception must be interpreted restrictively and applies only exceptionally,” according to the court.
To establish abusive intent, controllers must meet both objective and subjective criteria: showing the true purpose of Article 15 has not been met and proving the requester’s real intention was something other than protecting their GDPR rights—such as creating grounds for compensation claims. Controllers bear the burden of proof and must demonstrate this intent unequivocally; mere suspicion is insufficient.
The court also confirmed that individuals are entitled to compensation under Article 82 GDPR for breaches related to right-of-access refusals—even if no unlawful processing occurred—so long as actual damage can be shown and linked causally to the infringement. However, where claimants have manufactured circumstances solely for financial gain without genuine engagement over their personal data, this causal link may be broken.
This judgment arrives amid ongoing legislative discussions about amending GDPR through a proposed Digital Omnibus Regulation in Europe—which could lower evidential standards required from controllers—but it remains unclear whether future laws will reflect this recent decision’s stricter approach.
While binding across EU member states, this CJEU judgment does not apply directly in England but may still influence UK courts or regulators where similar provisions exist. Organizations operating in both jurisdictions are advised to review their DSAR policies separately.
