GDPR gold diggers beware: CJEU rules data access requests aren’t a free ticket to compensation

Article 12(5) GDPR allows controllers to refuse to act on requests that are “manifestly unfounded or excessive”, or to charge a reasonable fee for handling such requests. However, the GDPR does not explicitly define what constitutes “abuse” or “abusive intent”, leaving controllers uncertain about how to respond to requests that, while perhaps not excessive in volume, are driven by other motives.

While courts in certain jurisdictions have begun to clarify the boundaries of this concept, the GDPR itself remains silent on the definition of "abuse." Anticipating the draft EU Digital Omnibus reform (which proposes to allow controllers to reject or charge for DSARs where there are reasonable grounds to believe data subject rights are being abused for purposes other than data protection – see our article for more details) the Court of Justice of the European Union (CJEU) has, for the first time, directly addressed this ambiguous notion.

An Austrian individual subscribed to the newsletter of Brillen Rottler, a German optician, providing his personal data online. Thirteen days later, he submitted a data subject access request under Article 15 GDPR. Brillen Rottler refused, alleging the request was abusive, and cited evidence that the individual routinely subscribed to newsletters, then submitted access and compensation claims. The individual sought at least €1,000 in compensation for non-material damage. The dispute was referred to the CJEU by the Local Court in Arnsberg, Germany.

Amongst the eight questions raised to the court, the key questions were: a) can a first access request be considered “excessive” under the GDPR? and b) is the individual entitled to compensation for any damage resulting from refusal of access?

First Requests Can Be Abusive

It is a general and accepted principle that EU law cannot be relied upon for abusive or fraudulent ends [1]. An abusive intention may be found where complaints or requests are made in circumstances where it is not objectively necessary to do so in order to protect the data subject’s rights.

The CJEU confirmed that even a first access request can, in exceptional circumstances, be “excessive” and thus abusive. Specifically, where the controller can demonstrate that the request was not genuinely aimed at verifying the lawfulness of processing, but was made with an “abusive intention,” such as to create grounds for compensation.

Assessment of Abusive Intention

The burden of proof lies with the controller. Relevant factors include:

• The data subject’s pattern of behaviour (e.g., systematically subscribing to newsletters and immediately requesting access and compensation);
• The timing between data provision and the access request;
• Publicly available information suggesting a pattern of similar claims;
• Any other relevant evidence.

Right to Compensation

Article 82 GDPR confers a right to compensation for material or non-material damage resulting from infringement of the right of access. However, the data subject must prove actual damage and a causal link between the infringement and the damage.

Limits to Compensation

If the damage suffered is the result of the data subject’s own conduct (such as deliberately creating the conditions for a claim), compensation may be denied. Non-material damage like loss of control or uncertainty about data processing must be real and not self-inflicted.

• France: The CNIL considers that the data controller may refuse to respond to DSARs that are manifestly abusive, particularly due to their number, repetitive nature, or systematic character (for example, requesting a full copy of a recording every week). However, French courts remain cautious in their approach to the concept of “abuse”, particularly as disputes most frequently arise in the context of employment litigation, where the debate often centres on the right to evidence and an employee’s ability to obtain data to build a case. While the courts regularly reiterate that individuals are not required to justify the purpose of their requests - except in cases where the company can demonstrate that the data subject already held a copy of their data [2] - they also require companies to carry out a proportionate assessment between respecting the rights of the individual and protecting the interests of third parties, thereby placing the risk of non-compliance on the company.
• UK:  The CJEU’s decision is consistent with the position in the UK, where the courts have established that, while the controller can take into account the individual’s purpose for making the request, it does not invalidate the request and the controller should not give it undue weight [3]. This is reflected in the Information Commissioner’s Office (ICO) guidance on the right of access, which states that, while the purpose behind a request is not relevant to whether it is valid, it may be considered in justifying whether the request may be manifestly unfounded or excessive. If the controller wants to rely on this factor, it needs to be able to show that it indicates a pattern of behaviour that supports the controller’s position that the person made the request for a purpose other than exercising the right of access. The UK courts have consistently held that individuals claiming compensation for breach of data protection law must prove that the breach caused them damage or distress [4].
• Germany: The distinction between the “use” and abuse of data subject rights remains a contentious issue in Germany, as evidenced by the referral to the CJEU by the Local Court of Arnsberg. Case law is not yet settled, with courts issuing divergent decisions; however, civil courts have recently raised the threshold for claimants, particularly regarding the substantiation of claims for compensation.

An evolving topic is the business model of so-called ‘GDPR hoppers’ who are individuals who apply for open positions at companies and, after withdrawal or after their application is unsuccessful, file DSAR requests and subsequently pursue lawsuits in Labor Courts to seek compensation for damages. This happens in particular in courts with a tendency of ruling in favour of the data subjects, even if the plaintiff is already well known to them from previous proceedings, i.e. where they are fully aware of the data subject’s pattern of behaviour. The CJEU’s decision is expected to contribute to a clarification of the subtle distinction between use and abuse of rights. In the meantime, some employment courts have come up with more inventive approaches by suggesting to the parties settlements where the defendant pays an amount to charity rather than damages to the plaintiff. It will be interesting to see whether this approach, if applied to other cases, discourages the business model.

The CJEU’s decision marks a significant step in clarifying the boundaries of the right of access under the GDPR. While the right remains fundamental, it is not absolute and controllers now have firmer grounds to challenge requests that are manifestly abusive. However, the burden of proof remains high and must be carefully evidenced.

What are the practical steps?

• Controllers should document patterns of abusive behaviour and gather objective evidence before refusing requests or charging fees.
• The intention behind a request can be relevant, but controllers must be able to substantiate claims of abuse with concrete facts.
• While data subjects are not required to state their reasons for access, their modus operandi and public information about their conduct can be considered.

[1] See Article 57(4) GDPR and the judgment: of 9 January 2025, Österreichische Datenschutzbehörde, C-416/23.

[2] French Paris Court of Appeal, 18 December 2025.

[3] See Dawson-Damer v Taylor Wessing [2017] EWCA Civ 74, Ittihadieh v 5-11 Cheyne Gardens TRM Co Ltd and Dr Cecile Deer v University of Oxford [2017] EWCA Civ 121 and B v General Medical Council [2018] EWCA Civ 1497.

[4] See Farley and others v Paymaster (1836) Ltd [2025] EWCA Civ 1117.