The right of access has long occupied a central position within the General Data Protection Regulation (GDPR). Enshrined in Article 15, it enables individuals to obtain confirmation as to whether their personal data is being processed, gain access to such data and understand the purposes, legal basis and recipients of the processing. It is, in many respects, the gateway through which data subjects are able to exercise the broader suite of rights afforded under the GDPR and to verify whether their personal data is being processed lawfully.
Yet as the GDPR has matured, organisations across the European Union have increasingly reported a phenomenon that sits uneasily with the original rationale underpinning the right of access. That is, data subject access requests (DSARs) are no longer used solely as instruments of transparency. In some instances, they have become tactical tools deployed in the context of employment disputes, commercial disagreements and compensation claims. The question of whether the GDPR permits controllers to resist such requests has become increasingly relevant in practice.
The Court of Justice of the European Union (CJEU or the Court) recently addressed this issue in Brillen Rottler GmbH & Co KG v TC (Case C-526/24), a judgment which may prove to be one of the most significant GDPR decisions of the first half of 2026. While the decision has been widely reported as confirming that “abusive” access requests may be refused, its implications extend far beyond that simple proposition. At its core, the judgment raises important questions regarding the limits of data subject rights, the role of the abuse of rights doctrine in EU law and the increasingly delicate balance between effective data protection and strategic litigation.
Background to the dispute
The case arose following a request for access made by an individual who had subscribed to a company’s newsletter. The controller failed to comply with the request and subsequently became the subject of a compensation claim. In its defence, the company argued that the individual had engaged in a broader pattern of conduct involving subscriptions to numerous newsletters followed by access requests and damages claims. According to the controller, the request was not genuinely aimed at understanding the processing of personal data but formed part of a strategy designed to generate compensation claims.
The referring German court asked the CJEU whether a first access request could be regarded as “manifestly unfounded or excessive” within the meaning of Article 12(5) GDPR and whether evidence of abusive conduct could justify a refusal to comply.
The questions referred were significant because Article 12(5) GDPR is generally understood as providing a narrow exception to the obligation to facilitate data subject rights. While controllers may refuse requests that are manifestly unfounded or excessive, the provision has traditionally been associated with repetitive or burdensome requests. Whether it could extend to requests tainted by abuse of rights had not previously been considered directly by the Court.
The Court’s approach
The Court confirmed that the general principle prohibiting abuse of rights forms part of EU law and applies equally in the context of rights conferred by the GDPR. It held that Article 12(5) GDPR may permit the refusal of a request where objective evidence demonstrates that the right of access is being exercised abusively and in a manner contrary to the objectives for which that right was established.
In reaching this conclusion, the Court emphasised that the purpose of Article 15 GDPR is to enable individuals to become aware of and verify the lawfulness of the processing of their personal data. Where a request is made for purposes wholly unrelated to those objectives, reliance on the right of access may constitute an abuse of rights.
Perhaps the most notable aspect of the judgment is the Court’s confirmation that even a first access request may, in principle, be regarded as excessive. This represents a departure from the assumption that excessiveness is necessarily linked to repetition or frequency. Instead, the Court adopted a more qualitative assessment, focusing on the purpose and circumstances surrounding the request rather than merely its volume.
At the same time, the Court was careful to stress that the threshold remains exceptionally high. The burden of proving abuse rests entirely on the controller and cannot be satisfied by mere suspicion. The fact that a request may ultimately support litigation or give rise to a claim for damages does not, in itself, render the request abusive.
A significant evolution of Article 12(5)
Although the practical outcome of the case may appear straightforward, the judgment arguably represents a more significant doctrinal development than initial commentary has suggested.
The wording of Article 12(5) GDPR does not expressly refer to abusive motives or improper purposes. Rather, it permits controllers to refuse requests that are “manifestly unfounded or excessive”. Prior to Brillen Rottler, this language was commonly interpreted as targeting requests which were repetitive, disproportionate or administratively burdensome. The Court’s reasoning effectively broadens the scope of the provision by introducing an assessment of purpose. Excessiveness is no longer solely a quantitative concept. It may also arise where the exercise of the right itself departs from the objectives of the GDPR.
This development reflects the Court’s increasing willingness to rely upon general principles of EU law when interpreting data protection rights. The doctrine of abuse of rights is well established within other areas of EU law – however, its explicit application within the GDPR context marks an important evolution in the Court’s approach to data protection rights.
Some may question whether this constitutes a legitimate interpretation of the GDPR or whether it introduces a limitation that the legislature deliberately chose not to include. Regardless of one’s view, the judgment illustrates that data subject rights are not regarded as entirely immune from broader principles governing the exercise of EU law rights.
Implications for Malta
The judgment is likely to be of particular interest to Maltese organisations operating within sectors that routinely receive broad and complex access requests.
Employers frequently encounter DSARs in the context of disciplinary proceedings, grievances and employment disputes. Likewise, financial institutions, insurance undertakings and gaming operators often receive requests from individuals who are simultaneously pursuing complaints or claims.
In these sectors, the temptation to rely upon Brillen Rottler may be considerable. Nevertheless, controllers should exercise caution. The judgment does not create a convenient mechanism through which difficult or burdensome requests may be rejected. The evidential threshold remains substantial and the consequences of wrongly refusing a request may include regulatory scrutiny and potential liability under the GDPR.
From a Maltese perspective, it is also likely that the Office of the Information and Data Protection Commissioner (IDPC) will approach the judgment conservatively. Given the fundamental importance of the right of access within the GDPR framework, any exception based on abuse of rights is likely to be interpreted narrowly and applied only in exceptional circumstances.
Conclusion
For the first time, the CJEU has expressly confirmed that the doctrine of abuse of rights may operate as a limitation upon the exercise of rights conferred by the GDPR. In doing so, the Court has clarified that the right of access is not immune from scrutiny where objective evidence demonstrates that it is being exercised in a manner contrary to its intended purpose.
At the same time, the judgment should not be interpreted as signalling a retreat from the strong protection afforded to data subjects under EU law. The Court’s reasoning makes clear that refusals remain the exception rather than the rule and that the burden of establishing abuse is a demanding one.
Ultimately, Brillen Rottler is best understood as an attempt to preserve the integrity of the GDPR’s rights framework. It recognises that fundamental rights must remain effective and accessible, whilst also acknowledging that their legitimacy depends upon being exercised for the purposes for which they were created. Whether the judgment will materially alter the handling of access requests in practice remains to be seen. What is clear, however, is that it marks an important step in the continuing evolution of European data protection law.
Disclaimer: This article is for informational purposes only and does not contain or convey legal advice. The information contained in this article should not be used or relied upon in regard to any particular facts or circumstances without first obtaining legal advice. This article was first published in the ‘Independent’ on 10/06/2026.
Author
Related Articles
More Insights
