C-526/24: When does a GDPR access request become abusive?

View as Markdown
5 mins read • Legal Writer • GDPR • 22 March 2026
  1. Background to C-526/24
  2. Can a first GDPR access request be excessive?
  3. What factors did the Court consider in C-526/24?
  4. What does the judgment mean for damages under Article 82?
  5. Practical lessons for businesses handling GDPR access requests
  6. Digital Omnibus may change the legal position
  7. Where is the line?

The Court of Justice of the European Union’s judgment in Case C-526/24, Brillen Rottler GmbH & Co. KG v TC., addresses an issue that many businesses recognise in practice: where is the line between the legitimate exercise of data subject rights and the strategic use of the GDPR to pursue damages claims? For organisations handling such requests, it is important to have a clear process and, in borderline cases, to seek support from a data protection lawyer.

The judgment is noteworthy because it addresses both the right of access under Article 15 GDPR and damages under Article 82. It also shows that the threshold for dismissing a first request as excessive is high, even where the surrounding circumstances raise questions about the motive behind the request.

Background to C-526/24

In the case, a private individual subscribed to a newsletter from the German company Brillen Rottler. Shortly afterwards, that individual requested access to their personal data under Article 15 GDPR. The company took the view that the request constituted an abuse of rights and declined to comply within the prescribed time limit. The dispute then came to centre on two issues: whether a first request for information can be excessive under Article 12(5) GDPR, and whether an infringement of Article 15 can in itself give rise to damages under Article 82.

Can a first GDPR access request be excessive?

The Court notes that Article 12(5) GDPR refers to repetitive requests as one example of when a request may be excessive. That does not, however, mean that only repeated requests can fall within that provision. Even a first request may in principle be excessive, but the threshold is high.

The Court describes a two-stage abuse assessment. First, there must be objective circumstances showing that the purpose of the right of access is not genuinely being pursued. Secondly, there must be an improper intention to create the conditions for obtaining an advantage, such as a damages claim, by artificial means.

The fact that an individual has previously submitted many similar requests and then sought compensation may therefore be one indication. However, that will not normally be sufficient on its own. The assessment must be made in light of the circumstances of the individual case.

What factors did the Court consider in C-526/24?

The Court identifies several factors that may be relevant when assessing whether a request is excessive:

  • that the data subject disclosed their personal data voluntarily,
  • the purpose for which that was done,
  • how little time passed between the disclosure and the access request, and
  • how the data subject acted more generally.

The key issue is therefore not how many previous claims the individual has made against other organisations, but whether the request in question appears to be a genuine exercise of a right or an artificial step in a scheme designed to seek compensation.

What does the judgment mean for damages under Article 82?

The Court also makes clear that damage under Article 82 GDPR does not need to arise solely from the processing of personal data in the narrow sense. A denial of the exercise of rights under Chapter III GDPR, including Article 15, may in principle also form the basis for compensation.

That does not mean that every incorrect handling of a request automatically leads to damages. The data subject must still establish three elements:

  • that an infringement has in fact occurred,
  • that actual damage has arisen, and
  • that there is a causal link between the infringement and the damage.

At the same time, the Court leaves room for the causal link to be broken where the data subject’s own conduct is the decisive cause of the alleged damage. In practice, that is an important signal against arrangements in which someone deliberately tries to manufacture a compensation claim.

Practical lessons for businesses handling GDPR access requests

For controllers, the judgment does not provide any general licence to reject inconvenient or suspicious requests. On the contrary, the reasoning suggests that the threshold remains demanding, particularly in relation to a first access request.

Businesses should therefore be cautious about alleging abuse without a well-documented basis. An overly hasty refusal may in itself create a greater legal risk.

  • Always carry out an individual assessment of the request in question.
  • Document the specific circumstances supporting the view that the request may be excessive.
  • Distinguish between suspicion and evidence; a previous pattern is not necessarily enough.
  • Ensure that internal procedures for Article 15 requests operate within the GDPR time limits.
  • Consider obtaining legal advice before rejecting a request on the basis of abuse of rights.

Digital Omnibus may change the legal position

The judgment comes at a time when the issue is also being discussed in connection with “Digital Omnibus”. The material underpinning the simplification initiatives currently under consideration includes proposals to address more clearly situations in which the right of access is used for purposes other than data protection.

The future legal position may therefore be shaped not only by case law, but also by legislative developments. For now, however, the starting point should be that C-526/24 does not lower the level of protection for data subject rights. Rather, it clarifies that abuse may be taken into account in exceptional cases where there are sufficiently strong circumstances.

Where is the line?

The most practically useful answer from C-526/24 is that the line is not drawn by how active or litigation-minded a data subject has previously been. Instead, it turns on whether the request in question, assessed on the basis of objective circumstances, appears to be an attempt to manufacture a damages claim rather than a genuine exercise of the right of access.

For businesses, that means striking the right balance: rights requests must be taken seriously, but there is also scope to object to genuine abuse where the circumstances clearly justify it.

At Morling Consulting, our data protection lawyers help businesses across Europe manage data subject rights, build robust internal processes and assess risk at the intersection of data protection, disputes and compliance.

Related posts

Fintech leadership team discussing GDPR compliance challenges, with data security shield, risk alerts, and privacy governance checklist.

10 February 2026

GDPR challenges in fintech – a CEO’s view
Read more
Material Design illustration showing three legal professionals in front of an AI chip, playground and surveillance symbols, representing IMY’s focus areas public AI, children’s privacy and law enforcement.

5 February 2026

IMY’s priorities for 2026 – what do they mean for your organisation?
Read more
Illustration of a startup GDPR compliance briefing, with team members reviewing a security checklist and data protection policy on a screen.

4 February 2026

GDPR in your start-up – how to build assurance and compliance
Read more