In its judgment of 19 March 2026 (C-524/24 – Brillen Rottler), the ECJ confirmed that a GDPR access request may be classified as abusive if it does not serve the purpose of protecting the data subject’s privacy, but rather solely aims at a subsequent damages claim. This applies even to a first-time request.
In the specific case, a known ‘privacy activist’ from Austria had subscribed to a German optician’s newsletter and, a few days later, requested access to their data. The business rejected the request on the basis of indications that the data subject systematically and routinely subscribes to newsletters, requests data access and subsequently claims damages for the alleged unlawful processing of their data. The ECJ confirmed that rejecting such requests may indeed be lawful. The request could be excessive and abusive if its sole purpose is to create the conditions for a subsequent financial claim.
Businesses may therefore refuse requests for information provided they can establish with sufficient certainty that the request serves abusive purposes. At the same time, the proper review and documentation of incoming data subject requests remain crucial to ensure continued compliance and to avoid fines.
(Dr. Lukas Mezger, Unverzagt Law)