GDPR: Can a First Request to Exercise the Right of Access Be Considered Abusive?

GDPR: Can a First Request to Exercise the Right of Access Be Considered Abusive?

Key Takeaways


Data controllers may refuse to act on a request to exercise the right of access to personal data. However, such refusal must be properly documented. An unjustified refusal may give rise to a right to compensation.


Among the rights granted to data subjects, the right of access allows individuals to obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to those personal data. It is one of the fundamental rights available to data subjects. This right, set out in Article 15 of the GDPR, conditions the effective exercise of the other rights provided for under the Regulation. (1)

However, this right is not without limits. In a judgment delivered on March 19, 2026, the Court of Justice of the European Union (CJEU) provided clarification on the limits of this right and on the consequences of an unlawful refusal. (2)

In this case, an individual had subscribed to the newsletter of a German optical company and, thirteen days later, submitted a request to exercise the right of access to their personal data. Considering the request to be abusive, the company refused to act on it. The individual subsequently sought compensation on the basis of Article 82 of the GDPR.

The Arnsberg Regional Court (Germany), before which the dispute was brought, referred the following two questions to the CJEU: 1. Can a first request to exercise the right of access be considered excessive by the controller? 2. Is the data subject entitled to compensation for damage resulting from a violation of the right of access?


1. Can a First Request to Exercise the Right of Access Be Considered Excessive by the Controller?

Article 12(5) of the GDPR provides that where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee or refuse to act on the request.

The question referred to the Court was whether it is possible to refuse to act on a first request to exercise the right of access. The Court answered in the affirmative and clarified that the repetitive nature of requests is mentioned only by way of example and does not constitute a necessary condition.

However, the possibility of refusing to act on a request to exercise the right of access is strictly limited. The right of access is one of the fundamental rights of data subjects. The CJEU recalled that Article 12(5) constitutes an exception to the controller’s obligation to facilitate the exercise of data subject rights. As such, it must be interpreted restrictively.

The excessive or abusive nature of a request to exercise the right of access cannot be inferred solely from the practical difficulties encountered by the controller in responding to it. The controller must demonstrate that the request was not made in order to obtain confirmation as to whether or not personal data are being processed and access to those data, and to verify the lawfulness of the processing, but rather for an abusive purpose, for example to artificially create the conditions for a compensation claim.

This assessment must be based on a set of indicators. The following may be taken into account: the fact that the data subject provided their personal data without being compelled to do so; the purpose for which the personal data were provided; the time elapsed between the provision of the personal data and the request to exercise the right of access; and the overall conduct of the data subject.

Publicly available information indicating that the data subject has submitted similar requests to exercise the right of access to multiple controllers, followed by compensation claims based on a comparable pattern, may also be taken into account. However, such information must be corroborated by other relevant factors.


2. Can the Data Subject Obtain Compensation for Damage Resulting from a Violation of the Right of Access?

In its judgment of March 19, 2026, the CJEU also held that Article 82(1) of the GDPR confers on the data subject a right to compensation where the damage alleged results from a violation of the right of access provided for in Article 15. Such a right to compensation is therefore not conditional upon the existence of unlawful processing of personal data. It may, in particular, be invoked in the event that the controller unlawfully refuses to act on a request to exercise the right of access.

The right to compensation requires that three cumulative conditions be met: a violation of the GDPR, damage, and a causal link between the two. For example, loss of control over personal data may, under certain circumstances, constitute material or non-material damage.

However, non-material damage cannot be presumed solely on the basis of the violation. The data subject must demonstrate that they have actually suffered damage, even if minimal, which is distinct from the mere violation of the Regulation.

Finally, the Court states that the conduct of the data subject may break the causal link where it constitutes the determining cause of the alleged damage. This is the case, in particular, where an individual provides their personal data to the controller with the intention of artificially creating the conditions for a compensation claim.


3. What Are the Consequences for Controllers?

The significance of this judgment lies in the clarification of the criteria enabling controllers to oppose a request to exercise the right of access.

Although Article 12(5) of the GDPR allows controllers to refuse to act on a request that is manifestly unfounded or excessive, such refusal can only be considered on an exceptional basis and must be supported by documented evidence demonstrating an abusive intent.

It is therefore recommended to implement an internal procedure for handling requests to exercise the right of access, including the following steps:
     - identification of the request;
     - verification of the identity of the data subject;
     - precise determination of the scope of the request;
     - collection and consolidation of the information to be provided in accordance with Article 15;
     - compliance with the applicable time limits for responding;
     - and legal validation in case of difficulty.

Documenting the handling of requests to exercise the right of access makes it possible to justify any refusal. Failing this, the controller may face not only claims for violation of the GDPR and compensation by the data subject, but also an investigation by the French supervisory authority (CNIL).

It should be noted that repeated requests to exercise the right of access are not necessarily abusive, in particular where they are made at reasonable intervals. (3)

* * * * * * * * * * *


(1) In a judgment of January 12, 2023, the CJEU recalled that the right of access must enable the data subject to effectively exercise the other rights provided for by the GDPR (rights of rectification, erasure, restriction of processing, and objection), in order to obtain, where appropriate, the elements necessary to bring legal proceedings. (CJEU, Jauary 12, 2023, Case C-154/21, Österreichische Post AG).

(2) CJEU, March 19, 2026, Case C-526/24, Brillen Rottler GmbH & Co. KG.

(3) In another 2023 judgment, the CJEU clarified that the right of access must be exercisable easily and at reasonable intervals, in order to ensure effective oversight of processing (CJEU, October 26, 2023, Case C-307/22, FT v. DW).

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

April 2026

Go back to News and Publications

Mots clés :

advertising (1) adwords (3) ai (29) anssi (3) arcep (5) arcom (21) artificial intelligence (12) audiovisual (2) audit (4) blockchain (8) cbpr (7) children (4) cjeu (3) cloud computing (3) cnil (24) commerce (6) communication (9) compliance (44) confidentiality (2) consumers (3) contract (9) cookies (8) copyright (5) cross-border data transfers (8) cybercrime (2) cybersquatting (3) data controller (4) data privacy (23) data privacy framework (2) database (1) digital accessibility (1) domain names (2) dpf (2) drones (1) dsa (10) e-commerce (17) e-consumers (1) employee (3) encryption (1) eu (26) europe (25) france (15) fraud (1) gdpr (39) general data protection regulation (12) health (1) indexing (2) information technology (9) intellectual property (10) internet (36) ip (5) legal training (4) liability (5) métavers (3) networks (1) nft (4) privacy (17) privacy shield (2) regulation (4) robotics (7) rpa (6) safe harbor (2) search engines (4) security (4) singapore (5) social media (7) software (7) terms and conditions (gtc's) (1) trademark (2) uas (1) unmanned aircraft (1) us (3) video game (3)