Can a first request for access under Art. 15 GDPR already constitute an abuse of rights if it is aimed solely at obtaining compensation? The Court of Justice of the European Union (CJEU) delivered an important judgment on this question and, at the same time, clarified whether the mere infringement of the right of access can in itself give rise to non-pecuniary damage (judgment of 19 March 2026, Case C‑526/24).
The facts
An Austrian consumer subscribed to the newsletter of the German optician Brillen Rottler and, shortly afterwards, submitted a request for access under Art. 15 of the General Data Protection Regulation (GDPR).
The company refused to provide the access on the grounds that the request constituted an abuse of rights. The data subject had apparently systematically used newsletter subscriptions to subsequently demand access and compensation.
The case was referred via the Arnsberg Local Court to the Court of Justice of the European Union, which clarified several points of principle regarding excessive requests for access, abuse of rights and compensation.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The ruling
The CJEU has, for the first time, expressly confirmed that an initial request for access may constitute an abuse of rights. The decisive factor is not the number of requests, but the intention with which they are made. Accordingly, a request is excessive if it does not serve the purpose of transparency, but is aimed solely at artificially creating the conditions for a claim for damages.
However, the Court emphasises that the requirements for proving abuse are high.
Companies may also take into account publicly available sources showing that a person acts in the same way in many comparable cases. Whilst such access is not proof in itself, it may constitute an important indication within the context of an overall assessment.
Also relevant are
- the time of the data transfer,
- the time elapsed since the request, and
- the behaviour of the data subject before and after the request.
Furthermore, the CJEU clarifies that compensation under Art. 82 GDPR may also be claimed where the damage results solely from the infringement of the right of access. Unlawful processing is not required for this.
The Court recognises both a loss of control over personal data and uncertainty regarding its processing as non-material damage, provided that this impairment has actually occurred and was not caused by the conduct of the data subject themselves.
Data protection assessment
The judgment provides valuable guidance for businesses.
It remains the case that the right of access is a key instrument of transparency and must, in principle, be applied generously by data controllers. At the same time, the CJEU demonstrates that data controllers are not defenceless against abusive requests for access – even in the case of initial requests.
Companies may reject a request if they can provide plausible and comprehensible evidence that the data subject is exploiting the procedure. However, the hurdles remain high, as the CJEU requires two-stage proof:
- objective circumstances indicating that the situation has been artificially created, and
- a subjective element that reveals the abusive intent.
At the same time, the CJEU strengthens data subjects’ rights by clarifying that failure to respond to legitimate requests for access may lead to compensation – even in the absence of underlying unlawful processing. For companies, this means that unjustified refusals can prove costly.
Furthermore, the judgment makes it clear that, whilst non-material damage is not subject to high thresholds of materiality, it must be substantiated in concrete terms. Data controllers should therefore carefully assess whether the damage claimed can plausibly be attributed to the alleged infringement.
Conclusion
For the first time, the CJEU has established clear criteria against so-called ‘GDPR hopping’, which has hitherto been difficult to prove.
In practice, this means that companies may already scrutinise an initial request for access if there are clear indications that it was made solely to obtain compensation. In practice, this applies in particular to cases where a request for access is made unusually quickly after data collection, where public sources indicate a mass campaign, or where the data subject’s behaviour reveals a clear pattern.
At the same time, the risk remains that an unjustified refusal could lead to compensation – including non-material damages such as loss of control or uncertainty regarding data processing.
Companies should therefore adapt their internal processes for handling data access requests. This includes a structured initial assessment, careful documentation of all relevant evidence, clear management of time limits (as even a plea of abuse of rights may be time-barred), and legally sound decision-making procedures, along with their thorough documentation.
The CJEU’s ruling demonstrates that the GDPR effectively protects data subjects’ rights, but that abusive business models based on it are increasingly being curtailed to ensure that data subjects’ rights are not undermined contrary to the legal purpose of the legislation.