A request for access to one’s personal data may be deemed abusive and refused if it is made for the sole purpose of subsequently seeking compensation for an alleged breach of the GDPR
Published on :
20/04/2026
20
April
Apr
04
2026
This is an important ruling handed down on 19 March 2026 by the Court of Justice of the European Union, which clarifies a much-anticipated point in practice: the right of access to personal data is not absolute.
An individual residing in Austria subscribed to the newsletter of a company based in Germany via the registration form available on the company’s website.
A few days later, he sent the company a request for access to his personal data under the GDPR.
The company opposed this request, arguing that various news reports, blog posts and legal briefings indicated that this individual would habitually subscribed to newsletters from various companies before submitting a request for access under the GDPR and subsequently a claim for compensation.
The Arnsberg District Court (Germany), before wich a claim was filed referred a question to the Court of Justice of the European Union (CJEU) as to whether a first request for access to personal data made by a person could be considered ‘excessive’ and whether that person is entitled to compensation for the damage resulting from a breach of the right of access to such data.
In its decision of March 19, 2026, the CJEU ruled that an initial request for access may, in certain circumstances, already be considered ‘excessive’ within the meaning of the GDPR, and therefore abusive.
This is the case where the controller proves that, despite formal compliance with the conditions laid down by the GDPR for the submission of a request for access, that request was made not to ascertain the processing of the data and verify its lawfulness, but with the intention—which may be described as “abusive”—of artificially creating the conditions required to obtain compensation under the GDPR.
The fact that, according to publicly available information, the data subject has submitted several requests for access to their personal data, followed by claims for compensation, to various data controllers may be taken into account in order to establish the existence of such an abusive intention.
Finally, the Court states that it is not possible to claim compensation for damage under the GDPR if one’s own conduct is the decisive cause of the harm.
History
-
The Legal 500 Country Comparative Guides | Employee Incentives in France 2026
Published on : 27/02/2026 27 February Feb 02 2026InsightsPartners Camille Ventejou and Romain Guichard authored the France chapter of...
-
European Union: EU Refuses Postponement of Pay Transparency Directive Implementation
Published on : 02/02/2026 02 February Feb 02 2026L&E GlobalThe post European Union: EU Refuses Postponement of Pay Transparency Directiv...Source : leglobal.law
-
Podcast | The Investigator’s Dilemma - Navigating Complexity, Conflict, and Human Drama in High-Stakes Cases
Published on : 17/12/2025 17 December Dec 12 2025InsightsInternal investigations are no longer routine compliance exercises. They are...