IP case law Court of Justice

CJEU, 19 Mar 2026, C-526/24 (Brillen Rottler)

Personal Data Protection > General Data Protection Regulation (GDPR) > Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 15 - Right of access by the data subject
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 82 - Right to compensation and liability
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 82 - Right to compensation and liability

Provisional text

JUDGMENT OF THE COURT (Fourth Chamber)

19 March 2026 (*)

( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 12(5) – Article 15(1) – Data subject’s right of access to the personal data concerning him or her – Controller’s right to refuse to act on the request for access – Excessive character of the request – Abuse of rights – First request for access – Right to compensation and liability – Article 82(1) – Action based on infringement of the right of access – Non-material damage – Loss of control over personal data )

In Case C-526/24,

REQUEST for a preliminary ruling under Article 267 TFEU from the Amtsgericht Arnsberg (Local Court, Arnsberg, Germany), made by decision of 31 July 2024, received at the Court on the same day, in the proceedings

Brillen Rottler GmbH & Co. KG

v

TC,

THE COURT (Fourth Chamber),

composed of I. Jarukaitis, President of the Chamber, K. Lenaerts, President of the Court, acting as Judge of the Fourth Chamber, M. Condinanzi, N. Jääskinen and R. Frendo (Rapporteur), Judges,

Advocate General: M. Szpunar,

Registrar: I. Illéssy, Administrator,

having regard to the written procedure and further to the hearing on 5 June 2025,

after considering the observations submitted on behalf of:

–        Brillen Rottler GmbH & Co. KG, by J. Tröber, Rechtsanwalt,

–        TC, by P. Brandt, Rechtsanwalt,

–        the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 18 September 2025,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of point 2 of Article 4, Article 12(5) and Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

2        The request has been made in proceedings between Brillen Rottler GmbH & Co. KG, a family run optician company, and TC, an individual, concerning that company’s refusal to grant TC’s request for access to his personal data pursuant to Article 15 of the GDPR.

 Legal context

3        Recitals 4, 10, 11, 63, 85, 141 and 146 of the GDPR state:

‘(4)      The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the [Charter of Fundamental Rights of the European Union (“the Charter”)] as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and [homogeneous] application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the [European] Union. …

(11)      Effective protection of personal data throughout the [European] Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

(63)      A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. …

(85)      A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …

(141)      Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed …

(146)      The controller … should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller … should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. … Data subjects should receive full and effective compensation for the damage they have suffered. …’

4        Article 4 of that regulation, entitled ‘Definitions’, provides:

‘For the purposes of this Regulation:

(2)      “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

…’

5        Article 12 of the GDPR, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, provides, in paragraphs 1, 2 and 5 thereof:

‘1.      The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject …

2.      The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. …

5.      Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a)      charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b)      refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.’

6        Article 15 of the GDPR, entitled ‘Right of access by the data subject’, provides, in paragraph 1 thereof:

‘The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

…’

7        Article 26 of the GDPR, entitled ‘Joint controllers’, provides, in paragraph 1 thereof:

‘Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. …’

8        Article 30 of that regulation, entitled ‘Records of processing activities’, provides, in paragraph 1 thereof:

‘Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. …’

9        Article 57 of that regulation, entitled ‘Tasks’, provides, in paragraphs 1 and 4 thereof:

‘1.      Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(f)      handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint …;

4.      Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.’

10      Article 79 of that regulation, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides, in paragraph 1 thereof:

‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’

11      Article 82 of the GDPR, entitled ‘Right to compensation and liability’, provides, in paragraphs 1, 2 and 4 thereof:

‘1.      Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2.      Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. …

4.      Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

12      In March 2023, TC, a natural person residing in Austria, subscribed to the newsletter of Brillen Rottler, a family run optician company established in Arnsberg (Germany), by entering his personal data in the registration form available on that company’s website and consenting to the processing of those data. Thirteen days later, TC sent a request for access to Brillen Rottler under Article 15 of the GDPR.

13      Within the period of one month set in the regulation, Brillen Rottler refused the request for access, considering it to be abusive, within the meaning of the second sentence of the first subparagraph of Article 12(5) of the GDPR. It called on TC to withdraw his request definitively.

14      After TC maintained his request for access, while adding a claim for compensation under Article 82 of the GDPR in the amount of EUR 1 000, Brillen Rottler submitted to the Amtsgericht Arnsberg (Local Court, Arnsberg, Germany), which is the referring court, a claim for a declaration that TC is not entitled to any compensation.

15      In support of its claim, Brillen Rottler submits that it is apparent from various reports, blog articles and lawyers’ newsletters that TC systematically and abusively makes requests for access to his personal data for the sole purpose of obtaining compensation for an alleged infringement, which he deliberately provokes, of his rights under the GDPR. According to Brillen Rottler, TC’s modus operandi consists of first subscribing to a newsletter, then making a request for access and, last, submitting a claim for compensation.

16      TC submits before the referring court that the request for access which he made to Brillen Rottler is legitimate, that it is an expression of the right of access conferred on him by Article 15 of the GDPR and that that company is seeking unlawfully to restrict the rights conferred on him by that regulation. By way of a counterclaim, he claims that Brillen Rottler should be ordered to pay him compensation of at least EUR 1 000 as compensation for non-material damage suffered as a result of that company’s refusal to grant him access to his personal data.

17      In the first place, the referring court is uncertain as to whether a first request for access made by the data subject may be regarded as an ‘excessive request’ for the purposes of Article 12(5) of the GDPR and, thus, constitute an abuse of rights, and what circumstances make it possible to establish such excessive character. In particular, it is uncertain whether, in order to refuse a request for access on the basis of that provision, a controller may rely on public information demonstrating that that person has submitted a large number of requests for access and for compensation to other controllers.

18      In the second place, that court asks whether a request for access made under Article 15(1) of the GDPR and/or the response to such a request constitutes ‘processing’ within the meaning of point 2 of Article 4 of the GDPR.

19      In the third place, that court harbours doubts as to the criteria for identifying the damage that may be compensated under Article 82(1) of the GDPR, and in particular as to whether, even where there has been no processing, that article confers a right to compensation solely on the basis of the infringement of the right of access provided for in Article 15(1) of that regulation.

20      In those circumstances, the Amtsgericht Arnsberg (Local Court, Arnsberg) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Is the second sentence of [the first subparagraph of] Article 12(5) of the [GDPR] to be interpreted as meaning [that] there cannot be an excessive [request for access] from the data subject when the first request is made to the controller?

(2)      Is the second sentence of [the first subparagraph of] Article 12(5) of the GDPR to be interpreted as meaning that the controller can refuse [a request for access] from the data subject if the data subject intends to use the [request for access] to provoke claims for damages against the controller?

(3)      Is the second sentence of [the first subparagraph of] Article 12(5) of the GDPR to be interpreted as meaning that grounds for refusing to provide information can be provided by publicly available information about the data subject which suggests that the data subject is asserting claims for damages against the controller in a large number of cases of infringement of the law relating to the protection of personal data?

(4)      Is [point 2 of Article 4] of the GDPR to be interpreted as meaning that [a request for access] from a data subject to the controller pursuant to Article 15(1) of the GDPR and/or a response to that request constitutes processing within the meaning of [the first of those provisions]?

(5)      In view of the first sentence of recital 146 of the GDPR, is Article 82(1) thereof to be interpreted as meaning that only damage which the data subject suffers or has suffered as a result of processing is eligible for compensation? Does this mean that for there to be a claim for damages under Article 82(1) of the GDPR – assuming causal damage to the data subject exists – there must necessarily have been processing of the data subject’s personal data?

(6)      If the answer to Question 5 is in the affirmative: does this mean that the data subject – assuming causal damage exists – has no claim for compensation under Article 82(1) of the GDPR solely on the basis of an infringement of his or her right [of access] under Article 15(1) of the GDPR?

(7)      Is Article 82(1) of the GDPR to be interpreted as meaning that the controller’s objection relating to an abuse of right in relation to [a request for access] from the data subject cannot, in view of EU law, consist in the fact that the data subject brought about processing of his or her personal data solely or inter alia in order to assert claims for damages?

(8)      If the answers to Questions 5 and 6 are in the negative: does the mere loss of control and/or uncertainty about the processing of the data subject’s personal data associated with an infringement of Article 15(1) of the GDPR constitute non-material damage to the data subject within the meaning of Article 82(1) of the GDPR or does it also require a further (objective or subjective) restriction and/or (significant) damage to the data subject?’

 Consideration of the questions referred

 The first to third and seventh questions

21      By its first to third and seventh questions, which it is appropriate to examine together and in the first place, the referring court asks, in essence, whether Article 12(5) of the GDPR must be interpreted as meaning that a first request for access to personal data made by the data subject to the controller pursuant to Article 15 of that regulation may be regarded as ‘excessive’ within the meaning of that Article 12(5) and, if so, what circumstances make it possible, as the case may be, to establish such excessive character.

22      In that regard, Article 15(1) of the GDPR guarantees the data subject’s right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, the data subject’s right of access to those data and to the information relating thereto (see, to that effect, judgment of 26 October 2023, FT (Copies of medical records), C-307/22, EU:C:2023:811, paragraph 31).

23      In addition, Article 12(5) of the GDPR establishes the principle that the exercise of that right of access is not to entail any cost for the data subject. However, the latter provision envisages two reasons why a controller may either charge a reasonable fee taking into account administrative costs or refuse to act on a request for access. Those reasons relate to instances of abuses of rights, in which the data subject’s requests must be regarded as ‘manifestly unfounded’ or ‘excessive’, in particular because of their repetitive character (judgment of 26 October 2023, FT (Copies of medical records), C-307/22, EU:C:2023:811, paragraph 31).

24      First, as regards the question whether a first request for access made by the data subject to the controller under Article 15 of the GDPR may be regarded as ‘excessive’, it should be noted that, since the concept of ‘excessive requests’ is not defined in that regulation, it is necessary, in accordance with settled case-law, for the purpose of interpreting that concept, to consider not only the wording of Article 12(5) of that regulation, by reference to its usual meaning in everyday language, but also the context in which that provision occurs and the objectives pursued by the rules of which it is part (see judgments of 17 November 1983, Merck, 292/82, EU:C:1983:335, paragraph 12, and of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraph 24 and the case-law cited).

25      In that connection, as regards the wording of Article 12(5) and, in particular, the usual meaning of the concept of ‘excessive requests’ in everyday language, the adjective ‘excessive’ denotes something which exceeds the ordinary or reasonable amount or which exceeds the desirable or permissible amount (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraph 43). The mere use of that adjective, which relates to both qualitative and quantitative characteristics, does not therefore rule out the possibility that a first request for access may be excessive.

26      In addition, it is, admittedly, apparent from the wording of the second sentence of the first subparagraph of Article 12(5) of the GDPR that requests may be excessive ‘in particular because of their repetitive character’. A large number of requests made by a person may therefore be an indication of their excessive character (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraph 57). However, as the Advocate General emphasised, in essence, in point 28 of his Opinion, since repetitive character is referred to in that provision solely by way of example, the characterisation of a request for access as ‘excessive’ does not require that that request necessarily be made in connection with the submission of a large number of requests by the same data subject.

27      It cannot therefore be ruled out, in the light of a literal interpretation of Article 12(5) of the GDPR, that a first request for access may be regarded as ‘excessive’ within the meaning of that provision.

28      That conclusion is supported by the context of the second sentence of the first subparagraph of Article 12(5) of the GDPR. In that regard, it should be recalled that that Article 12, which appears in Chapter III of that regulation, establishing the rights of the data subject, lays down general obligations on the controller with regard to transparency of information and communications and lays down the modalities for the exercise of the rights of the data subject. Under the first sentence of paragraph 2 of that Article 12, the controller must facilitate the exercise of data subject rights under, inter alia, Article 15 of that regulation, which complements the framework of transparency organised by that regulation by granting that data subject a right of access to his or her personal data (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraphs 45 and 46).

29      Therefore, by also providing for the possibility for controllers, when faced with requests which are manifestly unfounded or excessive, to charge a reasonable fee based on administrative costs or to refuse to act on such requests, that Article 12(5) establishes an exception to the obligation to facilitate, inter alia, the right of access, which must be interpreted restrictively (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraph 33).

30      That being so, it is apparent from the Court’s case-law on the interpretation of the concept of ‘excessive requests’ in Article 57(4) of the GDPR, which can be transposed to the present case in so far as that provision is worded in terms essentially similar to those of Article 12(5) of that regulation and pursues the same objective as the latter article, that Article 57(4) is an expression of the general principle of EU law to the effect that EU law cannot be relied on for abusive or fraudulent ends (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraph 49). Indeed, the application of EU legislation cannot be extended to cover transactions carried out for the purpose of fraudulently or wrongfully obtaining advantages provided for by EU law (see, to that effect, judgment of 19 September 2024, Matmut, C-236/23, EU:C:2024:761, paragraph 52 and the case-law cited).

31      Thus, the number of requests for access made by the data subject to the controller does not, in itself, determine the controller’s right to make use of the option of not acting on a request, which is available to it under Article 12(5) of the GDPR, so that the controller may make use of that option even in the case of a first request for access, where it establishes, having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of that data subject (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraph 50).

32      That contextual interpretation is consistent with the objectives pursued by the GDPR. In that regard, it should be noted that the purpose of that regulation, as indicated by recitals 10 and 11 thereof, is to ensure a consistent and high level of protection of natural persons within the European Union, as well as to strengthen and set out in detail the rights of data subjects. Thus, the obligations on the part of the controller laid down in Article 12 of that regulation, relating in particular to communication under Article 15 of that regulation, are designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraphs 38 and 39 and the case-law cited).

33      However, recital 4 of the GDPR states that the right to the protection of personal data is not an absolute right, since it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. In addition, the Court has already pointed out that the mechanisms allowing the different rights and interests to be balanced are contained in the GDPR itself (judgment of 21 December 2023, Krankenversicherung Nordrhein, C-667/21, EU:C:2023:1022, paragraph 54 and the case-law cited).

34      Therefore, in order to ensure that that balance is achieved by means of that exception, and that it is effective, the relevant criterion for a finding of abusive conduct is the excessive character of the request for access, which is to be assessed qualitatively, in accordance with paragraph 26 of the present judgment, and which cannot depend solely on the number of requests for access made by the data subject and thus on whether it is the data subject’s first request.

35      It follows that a first request for access made to the controller under Article 15 of the GDPR may be regarded as ‘excessive’ within the meaning of Article 12(5) of that regulation. That being so, since the concept of ‘excessive requests’ must be interpreted restrictively, as is apparent from paragraph 29 of the present judgment, a controller may rely on such excessive character only exceptionally and, as the Advocate General stated in point 34 of his Opinion, there must be strict criteria for characterising a first request for access as ‘excessive’. It is also important to emphasise that it is explicitly stated in the second subparagraph of Article 12(5) of the GDPR that the controller is to bear the burden of demonstrating that excessive character.

36      Second, as regards the circumstances in which the data subject’s first request for access may be characterised as ‘excessive’ within the meaning of Article 12(5) of the GDPR and thus constitute an abuse of rights within the meaning of the case-law cited in paragraphs 23 and 30 of the present judgment, it should be noted that proof of an abusive practice requires (i) a combination of objective circumstances in which, despite formal observance of the conditions laid down by the EU rules, the purpose of those rules has not been achieved and (ii) a subjective element consisting in the intention of the data subject to obtain an advantage from the EU rules by artificially creating the conditions laid down for obtaining it. Such characterisation also requires account to be taken of all the facts and circumstances of the case (see, to that effect, judgment of 21 December 2023, BMW Bank and Others, C-38/21, C-47/21 and C-232/21, EU:C:2023:1014, paragraphs 285 and 286 and the case-law cited).

37      As regards, in the first place, the objective element of an abusive practice, it should be noted that the aim of Article 15 of the GDPR, read in the light of recital 63 thereof, is to confer on a data subject the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals, in order, inter alia, to be aware of the processing of those data and to verify the lawfulness of that processing, thereby enabling the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure or right to restriction of processing, and his or her right to object and right of action where he or she suffers damage (see, to that effect, judgment of 12 January 2023, Österreichische Post (Information regarding the recipients of personal data), C-154/21, EU:C:2023:3, paragraphs 37 and 38).

38      In the present case, as is apparent from the file before the Court, TC submitted the request for access at issue in the main proceedings after subscribing to Brillen Rottler’s newsletter and providing the latter with certain personal data during subscription, so that that request for access could, formally speaking, constitute an implementation of TC’s right of access in order to achieve the purpose of those rules.

39      However, in the light of the case-law cited in paragraph 36 of the present judgment, formal observance of the conditions for applying Article 15 of the GDPR does not, in itself, make it possible to rule out the ‘excessive’ character of a request for access and, accordingly, the existence of an abuse of rights.

40      In that connection, as regards, in the second place, the subjective element of an abusive practice, it should be noted that, in order to be able to characterise a request for access as ‘excessive’ within the meaning of Article 12(5) of the GDPR, the controller must establish, having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of the data subject. A finding of an abusive intention may be made where the data subject has made that request for a purpose other than that of being aware of the processing of those data and verifying the lawfulness of that processing, in order to be able, subsequently, to obtain protection of his or her rights under the GDPR (see, to that effect, judgment of 9 January 2025, Österreichische Datenschutzbehörde (Excessive requests), C-416/23, EU:C:2025:3, paragraphs 50 and 56).

41      Thus, in the present case, having regard, in particular, to paragraph 35 of the present judgment, it is for the controller to demonstrate unequivocally that the data subject has made a request for access under Article 15 of the GDPR not for the purpose of being aware of that processing, but for the purpose of artificially creating the conditions laid down for obtaining compensation from that controller.

42      In that regard, it will be necessary to take into account all the circumstances of the case, in particular the fact that the data subject provided personal data without being obliged to do so, the aim of providing those data, the time that elapsed between the provision of those data and the request for access, and the conduct of the data subject.

43      In the context of the dispute brought before it, the referring court is uncertain whether it is possible to take into account, for the purpose of assessing whether there has been an abuse of rights, public information indicating that TC systematically makes requests for access to his personal data and claims for compensation to various controllers following a modus operandi similar to that used in the present case. It should be noted, in that regard, that that information may indeed be taken into consideration for the purpose of establishing the abusive intentions of the data subject, provided that it is supported by other relevant material.

44      Thus, in the present case, it is for the referring court to ascertain whether, in the light of all the relevant circumstances, Brillen Rottler has established that TC made the request for access concerned with an abusive intention.

45      In the light of the foregoing considerations, the answer to the first to third and seventh questions is that Article 12(5) of the GDPR must be interpreted as meaning that a first request for access to personal data made by the data subject to the controller pursuant to Article 15 of that regulation may be regarded as ‘excessive’, within the meaning of that Article 12(5), where that controller demonstrates, in the light of all the relevant circumstances of the case, that, despite formal observance of the conditions laid down by those provisions, that request was made by the data subject not for the purpose of being aware of the processing of those data and verifying the lawfulness of that processing, in order to be able, subsequently, to obtain protection of his or her rights under that regulation, but with an abusive intention, such as that of artificially creating the conditions laid down for obtaining an advantage from that regulation. The fact that, according to publicly available information, the data subject has made a large number of requests for access to his or her personal data, followed by claims for compensation, to various controllers, may be taken into consideration for the purpose of establishing the existence of such an abusive intention.

 The fifth and sixth questions

46      By its fifth and sixth questions, which it is appropriate to examine together and in the second place, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as conferring on the data subject a right to compensation for the damage resulting from an infringement of the right of access provided for in Article 15(1) of that regulation.

47      As recalled in paragraph 24 of the present judgment, in accordance with settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording but also its context and the objectives pursued by it.

48      It is apparent from the wording of Article 82(1) of the GDPR that a person who has suffered material or non-material damage ‘as a result of an infringement of [that] regulation’ is entitled to receive compensation from the controller for the damage suffered. It must be stated that that provision contains no reference to ‘processing’, so that that right to compensation cannot be limited to damage resulting from the processing of personal data.

49      That conclusion is supported, first, by the contextual analysis of that provision, read in the light of recital 141 of the GDPR, which provides that every data subject should have the right to an effective judicial remedy in accordance with Article 47 of the Charter ‘if the data subject considers that his or her rights under [that] regulation are infringed’. Article 82(1) of the GDPR is contained in Chapter VIII of that regulation, which governs remedies, the rules for liability and penalties to protect those rights. Those rights encompass a data subject’s right to information, provided for in Article 12 of that regulation, and his or her right of access under Article 15(1) of that regulation, so that they must be protected by Article 82 thereof, which must therefore be interpreted as also applying to damage resulting from infringements of Articles 12 and 15.

50      Such an interpretation cannot be called into question by the fact that, first, it is apparent from recital 146 of the GDPR that the controller should compensate any damage which a person may suffer ‘as a result of processing’ that infringes that regulation and, second, that Article 82 of that regulation refers, in paragraphs 2 and 4 thereof, to ‘damage caused by processing’.

51      As the Commission submits, in essence, in its written observations, in the event of infringement of the rights laid down by the provisions of Chapter III of the GDPR, in particular the right of access to data and the right to rectification, as well as the rights to erasure, restriction of processing and portability, the alleged infringement is liable to result from the refusal to act on the data subject’s request with regard to the exercise of those rights, rather than from the actual processing of personal data as such. Therefore, making the right to compensation under Article 82(1) of the GDPR conditional on the existence of damage resulting from processing as such would have the effect of excluding such situations from the scope of that provision and thus of undermining its effectiveness.

52      Furthermore, the Court has already held that the infringement, by the controller, of Articles 26 and 30 of the GDPR, the first of which relates to the conclusion of an arrangement determining the respective roles of controllers and their relationships vis-à-vis data subjects, and the second of which relates to the maintenance of a record of processing activities, does not constitute ‘unlawful processing’, conferring on the data subject a right to erasure or restriction of processing. Such an infringement must therefore be remedied by recourse to other measures provided for by the GDPR, inter alia compensation for any damage caused by the controller, pursuant to Article 82 thereof (see, to that effect, judgment of 4 May 2023, Bundesrepublik Deutschland (Court electronic mailbox), C-60/22, EU:C:2023:373, paragraphs 66 and 67).

53      The finding in paragraph 48 of the present judgment is supported, second, by the teleological interpretation of Article 82(1) of the GDPR, since that article seeks to ensure the implementation of the objectives of that regulation, including, in particular, the objective of strengthening the rights of data subjects and the obligations of those who process and determine the processing of personal data, set out in recital 11 of that regulation. As the Advocate General stated, in essence, in point 72 of his Opinion, those rights, which specifically include the right of access referred to by the referring court, would be significantly weakened if that Article 82(1) were to be interpreted as being limited solely to damage resulting from unlawful acts involving data processing.

54      It follows that, even where there is an infringement of the GDPR that does not, as such, involve the processing of data, the data subject may rely on the right to compensation provided for in Article 82 of that regulation.

55      In the light of the foregoing, the answer to the fifth and sixth questions is that Article 82(1) of the GDPR must be interpreted as conferring on the data subject a right to compensation for the damage resulting from an infringement of the right of access provided for in Article 15(1) of that regulation.

 The fourth question

56      In the light of the answer given to the fifth and sixth questions referred for a preliminary ruling, there is no need to answer the fourth question.

 The eighth question

57      By its eighth question, which it is appropriate to examine in the third and last place, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether those data have been processed.

58      Since the GDPR makes no reference to the law of the Member States so far as concerns the meaning and scope of the terms in that provision, in particular as regards the concepts of ‘material or non-material damage’ and of ‘compensation for the damage suffered’, those terms must be regarded, for the purposes of the application of that regulation, as constituting autonomous concepts of EU law which must be interpreted in a uniform manner in all of the Member States (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370, paragraph 30, and of 4 September 2025, Quirin Privatbank, C-655/23, EU:C:2025:655, paragraph 55 and the case-law cited).

59      In that regard, it should be recalled that it cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers a right to compensation on the data subject. Article 82(1) of the GDPR provides that ‘any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. It is clear therefrom that the existence of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in that provision, as does the existence of an infringement of the GDPR and of a causal link between that damage and that infringement, those three conditions being cumulative (see, to that effect, judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data), C-300/21, EU:C:2023:370, paragraphs 31 to 33, and of 4 September 2025, Quirin Privatbank, C-655/23, EU:C:2025:655, paragraph 56 and the case-law cited).

60      Thus, a person seeking compensation for non-material damage on the basis of that provision is required to establish not only the infringement of provisions of the GDPR, but also that that infringement caused him or her such damage. Such damage cannot therefore be presumed merely on the basis that that infringement took place (judgment of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 141 and the case-law cited).

61      That being so, the Court has already held that it is apparent from the illustrative list of types of ‘damage’ that may be suffered by data subjects, set out in the first sentence of recital 85 of the GDPR, that the EU legislature intended to include in that concept, inter alia, the mere ‘loss of control’ over their own personal data, as a result of an infringement of that regulation, even if there had been no actual misuse of the data in question (judgment of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 145 and the case-law cited).

62      The Court has also held that the concept of ‘non-material damage’ cannot be limited solely to damage of a certain degree of seriousness. In particular, national legislation or a national practice cannot validly set a ‘de minimis threshold’ in order to establish non-material damage caused by an infringement of the GDPR. However, the data subject is required to demonstrate, first, that he or she has actually suffered such damage, however minimal, and, second, that the consequences of the infringement which he or she claims to have suffered constitute damage which differs from the mere infringement of the provisions of that regulation (see, to that effect, judgment of 14 December 2023, Gemeinde Ummendorf, C-456/22, EU:C:2023:988, paragraphs 22 and 23).

63      Thus, the mere allegation by the data subject of fear caused by a loss of control over his or her personal data cannot give rise to compensation under Article 82(1) of the GDPR (see, to that effect, judgment of 20 June 2024, PS (Incorrect address), C-590/22, EU:C:2024:536, paragraphs 33 and 35). Therefore, where a person claiming compensation on the basis of that provision relies on the fear that his or her personal data will be misused in the future owing to the existence of an infringement of that regulation, the national court seised must verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject (see, to that effect, judgment of 4 October 2024, Agentsia po vpisvaniyata, C-200/23, EU:C:2024:827, paragraph 143 and the case-law cited).

64      The considerations set out in paragraphs 59 to 63 of the present judgment also apply in a situation where the data subject considers that there is uncertainty as to whether his or her personal data have been processed.

65      In order to give a useful answer to the referring court, it must also be noted that the causal link between the alleged infringement and the alleged damage may be broken by the conduct of the data subject, provided that that conduct proves to be the determining cause of the damage. Such an act may consist, inter alia, of a decision of the adversely affected person, provided, however, that he or she was not obliged to take that decision (see, by analogy, judgment of 18 December 2025, WS and Others v Frontex (Joint return operation), C-679/23 P, EU:C:2025:976, paragraphs 151 and 152 and the case-law cited).

66      In addition, it is apparent from the case-law recalled in paragraph 59 above that the existence of a causal link between the alleged infringement of the GDPR and the damage allegedly suffered by the data subject is a condicio sine qua non for a right to compensation under Article 82(1) of that regulation. Accordingly, the data subject cannot be granted, under that provision, compensation for the damage allegedly suffered as a result of the loss of control over his or her personal data or as a result of his or her uncertainty as to whether those data have been processed where the causal link is broken by the data subject’s conduct, in so far as that loss of control or that uncertainty was caused by the data subject’s decision to submit those data to the controller with the aim of artificially creating the conditions laid down for the application of that provision.

67      In the light of the foregoing considerations, the answer to the eighth question is that Article 82(1) of the GDPR must be interpreted as meaning that the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether his or her data have been processed, provided that it is demonstrated, in particular, that the data subject actually suffered such damage and that his or her conduct was not the determining cause of that damage.

 Costs

68      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fourth Chamber) hereby rules:

1.      Article 12(5) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that a first request for access to personal data made by the data subject to the controller pursuant to Article 15 of that regulation may be regarded as ‘excessive’, within the meaning of that Article 12(5), where that controller demonstrates, in the light of all the relevant circumstances of the case, that, despite formal observance of the conditions laid down by those provisions, that request was made by the data subject not for the purpose of being aware of the processing of those data and verifying the lawfulness of that processing, in order to be able, subsequently, to obtain protection of his or her rights under that regulation, but with an abusive intention, such as that of artificially creating the conditions laid down for obtaining an advantage from that regulation. The fact that, according to publicly available information, the data subject has made a large number of requests for access to his or her personal data, followed by claims for compensation, to various controllers, may be taken into consideration for the purpose of establishing the existence of such an abusive intention.

2.      Article 82(1) of Regulation 2016/679

must be interpreted as conferring on the data subject a right to compensation for the damage resulting from an infringement of the right of access provided for in Article 15(1) of that regulation.

3.      Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether his or her data have been processed, provided that it is demonstrated, in particular, that the data subject actually suffered such damage and that his or her conduct was not the determining cause of that damage.

[Signatures]

*      Language of the case: German.


Disclaimer