Abuse of the DSAR mechanism: Brillen Rottler in the EU Court of Justice

The decision in Brillen Rottler v TC (full judgment here) will be viewed both positively and negatively by data controllers. The decision makes clear that a first-time DSAR made under Article 15 can be refused as being excessive in certain circumstances and a claim for compensation under Article 82 does not require 'unlawful' processing. A controller’s refusal may trigger a data subject's right to compensation, albeit requiring a consideration of both fault and causation rather than an automatic liability.

At a high level, the key takeaway from this decision is that first-time DSARs can be refused in principle as being excessive. This should be welcomed in preventing DSARs being used as a shortcut to successful damages claims. However, any such refusal is subject to certain criteria, with the controller holding the burden of proof. Controllers will not be able to rely on this decision as a consistent mechanism to avoid complying with DSARs. The CJEU made clear that any refusal requires a qualitative assessment of both objective and subjective elements.

Controllers in the EU must now be acutely aware that a claim for compensation under Article 82(1) does not require unlawful processing. This includes a refusal to comply with a DSAR, but also failing to respond to a DSAR correctly, subject to the usual conditions of causation and damage. For organisations responding to a large number of DSARs, operational procedures must be in place to ensure that DSARs are addressed correctly at the risk of a claim.

Although the UK courts are not bound by the CJEU decision, they may consider them to be relevant. This decision is of interest to UK organisations. The ICO guidance is largely reflective of the CJEU judgment on those subjective factors which should be considered when refusing a DSAR.

The ICO guidance includes those broader subjective factors such as a pattern of behaviour, identifying that that a DSAR made maliciously, or not genuinely aimed at exercising an individual's data protection rights, may be regarded as 'manifestly unfounded'. However, the ICO guidance does not make explicitly clear it is possible for a first DSAR to be considered as excessive.

Background

The individual, an Austrian resident, subscribed to the newsletter of an optician company (Brillen Rottler). This involved entering his personal data on the Brillen Rottler website. Less than two weeks after doing so, the individual issued a DSAR pursuant to his Article 15 rights.

That request was refused on the grounds it was abusive. Article 12(5) GDPR permits the data controller to refuse to act on a DSAR where it is 'manifestly unfounded' or 'excessive'.

Brillen Rottler considered this DSAR excessive, particularly as they had information that the individual systematically conducted DSARs in an effort to make claims for compensation. The individual argued that his DSAR was valid, and the refusal justified compensation at least EUR1,000 for non-material damage.

The local court in Austria made a referral to the Court of Justice of the European Union (CJEU) asking the following questions:

1. Whether a first request for access to personal data made by the data subject to the controller can be regarded as ‘excessive’, and if so, what circumstances make it possible, as the case may be, to establish such excessive character
2. Whether a right to compensation arises resulting from a refusal of the right of access
3. Whether any right to compensation arising encompasses a loss of control over an individual's personal data or that individual's uncertainty as to whether their data has been processed

CJEU decision

Can a first SAR made by an individual to a controller be excessive?

In short, yes.

The right to the protection of personal data is not absolute, and must be balanced against other fundamental rights. Article 12(5) makes clear that 'manifestly unfounded or excessive' requests can be refused (or subject to a reasonable fee). DSARs may be refused due to their repetitive character. However, the Court found that 'excessive' does not mean repeated alone. A controller may refuse a first DSAR where "it establishes [in all the relevant circumstances]… that there has been an abusive intention on the part of that data subject"¹

Determining whether a first (or subsequent) DSAR is excessive requires a qualitative assessment of all the circumstances, not merely its timing or frequency. In short, characterising a first DSAR as excessive will be subject to strict criteria, and only in exceptional circumstances.

To establish the abusive intention, a controller must prove both an objective element and a subjective element. Objectively, the DSAR must fall outside the genuine purpose of Article 15; this being to enable individuals to understand how their data is processed and check the lawfulness of that processing. Subjectively, the controller must show that the data subject’s true intention was abusive, i.e. not to exercise data protection rights, but for another purpose, such as "artificially creating"² grounds for a compensation claim.

The CJEU stated that evidence of such an abusive intention may include:

• Whether the individual provided the personal data without being required to do so
• The intended aim when providing the data
• The time period between the provision of the data and the subsequent DSAR
• The individual's conduct including wider patterns of conduct around the use of DSARs to seek compensation (using publicly available information)

The CJEU makes clear that the burden of proof rests squarely on the controller.

Right to compensation following a refusal

The CJEU addressed Questions 2 and 3.

A refusal to comply with a DSAR can give rise to a right to compensation under Article 82 of the GDPR. Crucially, that right to compensation is not limited to situations where unlawful processing of personal data has taken place.

The GDPR aims to strengthen the rights of data subjects and the obligations of data processors and controllers. Those rights "would be significantly weakened if… Article 82(1) were to be interpreted as being limited solely to damage resulting from unlawful acts involving data processing."³

Article 82(1) applies to any infringement of the GDPR causing material or non-material damage, including infringements of the right of access under Article 15 and associated Article 12 obligations. Article 82(1) refers to damage suffered "as a result of an infringement" of the GDPR. There is no restriction on compensation for damage (whether material or non-material) caused by processing activities alone. In short, a controller’s refusal may trigger a right to compensation, provided the other conditions are met.

On the second issue, the CJEU addressed the scope of compensable non-material damage. It reiterated that not every infringement automatically gives rise to compensation.⁴ Those seeking compensation for non-material damage must establish an infringement of the GDPR, actual damage suffered, and a causal link between the two. Non-material damage cannot be presumed simply because a breach occurred.⁵

The CJEU reaffirmed existing principles. Mere 'loss of control' of personal data can result in material or non-material damage to a data subject, and 'non-material damage' is not subject to a de minimis threshold.⁶

A loss of control over personal data, or uncertainty as to whether personal data has been processed, can be considered non-material damage. However, the data subject must demonstrate harm was actually suffered beyond mere infringement; "the mere allegation by the data subject of fear caused by a loss of control over his or her personal data cannot give rise to compensation".⁷

Further, where the causal link is broken, compensation will not be awarded. For example, this may involve the data subject’s own conduct being the determining cause of the alleged loss of control (or uncertainty). This would include individuals deliberately creating the situation in order to manufacture a compensation claim.⁸

Future developments

This decision is consistent with changes proposed to Article 12(5) within the Digital Omnibus proposals. The very scenario discussed in Brillen Rottler is considered within Recital 35 within the Digital Omnibus proposal, with proposed changes to Article 12(5) expressly introducing wording that a refusal (or reasonable fee) may result where "the data subject abuses the rights conferred… for purposes other than the protection of their data."

Nonetheless, the CJEU has made clear that refusing a DSAR as 'excessive' remains a fact-specific analysis requiring a qualitative exercise (whether for first-time or subsequent DSARs). Controllers clearly should be mindful of all the circumstances when denying data subjects' fundamental rights. It could be argued that the decision overall represents a softening of the capacity of data controllers to refuse DSARs at the risk of facing compensation claims. The proposals with the Digital Omnibus offer only clarifications, as opposed to reshaping the threshold for refusal.

By contrast, the initial draft of the abandoned Data Protection and Digital Information Bill in the UK proposed changing the threshold from ‘manifestly unfounded or excessive’ to 'vexatious or excessive'. That proposal was seen to be a strengthening the rights of data controllers at the expense of fundamental rights⁹, and ultimately not included in the Data (Use and Access) Act.

Ultimately, the decision in Brillen Rottler will be viewed both positively and negatively for all involved. Data subjects will not be able to treat DSARs as a tool for manufacturing compensation claims; data controllers do not have a blank cheque to refuse DSARs as 'excessive', nor to ignore their responsibilities to respond at the risk of the very claims they would like to avoid.

[1] Case C‑526/24, Brillen Rottler GmbH & Co. KG v TC, ECLI:EC:C:2026:216, para 31

[2] Ibid, para 21

[3] Ibid, para 53

[4] Ibid, para 55

[5] Ibid, para 60

[6] Ibid, para 62

[7] Ibid, para 63

[8] Ibid, para 66

[9] Woodhouse J. (2023), Data Protection and Digital Information (No. 2) Bill, Briefing Paper 9746, House of Commons Library