knowledge 21 April 2026 |

Blocking Bad-Faith DSARs: The Brillen Rottler Ruling

Background

The case concerned an Austrian resident who subscribed to the newsletter of Brillen Rottler, a German optician, by filling out a form on their website. Thirteen days later, the individual submitted a DSAR under Article 15 GDPR. Brillen Rottler refused the DSAR on the grounds that it was abusive within the meaning of Article 12(5) GDPR and invited the requester to withdraw it. Article 12(5) provides that where a controller can demonstrate that “requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character,” the controller may either refuse the request or charge a reasonable fee for fulfilling it.

The requester maintained his request and sought €1,000 in non-material damages under Article 82 GDPR, which he claimed resulted from the refusal of the DSAR. Brillen Rottler responded by bringing proceedings in its local court seeking a declaration that the requester was not entitled to any compensation. In support of their application, they provided publicly available reports and commentary suggesting that the individual systematically subscribed to newsletters, submitted DSARs shortly afterwards, and then pursued compensation claims.

Questions Referred

The referring court posed eight questions to the CJEU which, in summary, aimed to establish the following:

1. Can a data subject’s first DSAR be considered excessive?
2. Can the data subject’s intention and publicly available information be used to establish that a DSAR is excessive?
3. Is a data subject entitled to compensation for a violation of their right of access?
4. Does the loss of control and/or uncertainty about the processing of their data constitute non-material damage? 

Judgment

The CJEU held in its judgment here that a first DSAR could be considered manifestly unfounded or excessive where the controller can demonstrate that the requester had an abusive intention. An abusive intention exists where the right of access is invoked not to understand what data are processed or to verify the lawfulness of the processing, but to engineer an advantage under the GDPR, such as creating the basis for a damages claim. As this is an exception to the controller’s general duty to facilitate the exercise of data subject rights, the Court stressed that it must be interpreted narrowly.

The Court stated that a first request for access may be considered excessive where the controller demonstrates that the request was not made for the purposes of being aware of the processing or determining its lawfulness, but rather with an abusive intention, such as artificially creating the conditions to obtain an advantage from the GDPR. The Court held that when establishing an abusive intention, it will be necessary to take into account all the circumstances of the case. In this instance, the controller could take into account the following circumstances:

1. that the data subject provided personal data without being obliged to do so;
2. the aim of providing that data;
3. the time elapsed between providing the data and the DSAR; and
4. publicly available information showing that the data subject had made numerous requests for access, followed by claims for compensation, to various controllers.

On remedies, the CJEU confirmed that a data subject can recover damages for an infringement of their right of access. The Court further confirmed that a data subject can in principle claim non-material damages for the loss of control over their data and their uncertainty as to whether their data has been processed. To claim damages, the data subject must establish: (i) a GDPR infringement; (ii) that damage has actually been suffered; and (iii) a causal link between the two. The Court stated, however, that such causal link may be broken where the conduct of the data subject is the determining cause of the damage. This can occur where the data subject submits data with the aim of artificially creating the conditions for compensation under the GDPR.

Impact of Judgment

Brillen Rottler establishes that a controller can reject DSARs as “excessive” where they are made solely with the intention of extracting compensation from the controller for a GDPR violation. Although this judgment may be welcomed by controllers, the bar for proving abusive intention remains high and the burden of proof lies with the controller. Brillen Rottler was a rare case where publicly available information demonstrated the nefarious intentions of the data subject. The vast majority of DSARs that a controller receives are unlikely to display an abusive intent that can be as easily proven as that of the data subject in Brillen Rottler, and genuine DSARs must still be complied with. Nevertheless, it would be prudent for controllers to remain vigilant for requesters with an abusive intention, as that is now clearly established as a ground that they can use to refuse a DSAR. Regarding remedies, the judgment maintains the broad scope of damages available under Article 82 but provides that the causal link necessary to claim damages can be broken where the data subject’s conduct is the determining cause of the damage.

The ruling is also relevant in the context of the proposed Omnibus Regulation. The Commission’s proposal suggests amending Article 12(5) GDPR to allow a controller to charge a reasonable fee or refuse to act on a DSAR where they can demonstrate reasonable grounds for believing that the data subject is abusing their GDPR rights for purposes other than the protection of their data. The EDPB and EDPS’ Joint Opinion on the proposal suggests a narrower carve-out for abusive DSARs, requiring the controller to demonstrate an “abusive intention”, and opposes the proposal to reduce the burden of proof to “reasonable grounds”. The CJEU’s decision in Brillen Rottler mirrors the position in the Joint Opinion, so it will be interesting to see what position is adopted in the final text of the Omnibus Regulation.