CJEU ruling clarifies when a subject access request is abusive

In a landmark judgment on Wednesday, 19 March 2026, the Court of Justice of the European Union (CJEU) ruled in Case C-526/24 (in French) that a Subject Access Request (SAR) under the EU General Data Protection Regulation (GDPR) may be regarded as excessive and refused if it is made for the sole purpose of claiming compensation.

The case involved an individual residing in Austria who subscribed to a newsletter from a German optician, Brillen Rottler, only to submit a request for access to his personal data thirteen days later.

Brillen Rottler refused the request, labelling it abusive. The company provided evidence from reports and newsletters indicating that the individual had a history of systematically subscribing to various company newsletters, specifically with the intent of submitting a SAR ahead of a compensation claim. The individual countered that his SAR was legitimate and sought at least €1,000 in compensation for non-material damage resulting from the refusal.

The CJEU clarified that even a first request for access may be considered excessive if the controller demonstrates that the requester's intention is abusive. Specifically, this applies when a request is made not to verify the lawfulness of data processing, but to artificially create the conditions required to trigger a compensation claim. The CJEU noted that a high volume of similar requests and subsequent claims against various controllers, supported by publicly available information, can be used to establish such abusive intent. Furthermore, the Court clarified that compensation cannot be awarded if the data subject's own conduct is the determining cause of the damage claimed. The ruling provides a clear precedent for controllers to challenge and refuse SARs that fall outside of the intended purpose of the right of access.

For practitioners interested in reading the judgment, a LinkedIn post by Peter Craddock, a partner at the international law firm Keller and Heckman, provides a summary in English of the relevant excerpt. 

Additional commentary on LinkedIn is available here and here.

(Translate to English: Google Chrome, Mozilla Firefox, Microsoft Edge, or Apple Safari) 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.