In Case C-526/24 (Brillen Rottler), Advocate General Szpunar has delivered a significant legal assessment on the abuse of rights concerning GDPR access requests. His opinion defines the high threshold for assuming an abuse of rights, clarifies the broad Scope of liability under Article 82 GDPR, and simultaneously reinforces the requirement of proven damages. This briefing analyzes the key findings and their practical implications.
What happened?
The Court of Justice of the European Union (CJEU) was seized of a request for a preliminary ruling from the District Court of Arnsberg, Germany. The controller refused to comply with an access request pursuant to Art. 15 of the General Data Protection Regulation (GDPR). The controller justified the refusal by alleging an abuse of rights, claiming it was evident from public sources that the data subject systematically provoked data protection infringements in order to claim compensation.
The referring court asks the CJEU to clarify the circumstances under which the exercise of a right of access can be classified as an abuse of rights and the resulting consequences for the right to compensation under Art. 82 GDPR. The Opinion of Advocate General (AG) Maciej Szpunar, published on September 12, 2025, provides a detailed legal assessment of these questions.
Legal assessment by the Advocate General
The Advocate General's analysis focuses on four central aspects regarding the abuse of rights and liability under the GDPR.
Can an initial request for information already be considered “excessive”?
The Advocate General clarifies that the case of an "excessive" request mentioned in Art. 12(5) GDPR is merely an example. Consequently, an abuse of rights can also occur with other cases of access requests, even an initial access request.
However, the AG emphasizes that this should only be assumed in "exceptional circumstances". The right of access constitutes a fundamental right within the GDPR framework, which is why any exception to this principle must be interpreted strictly. The threshold for assuming an abuse of rights in the case of a first request must therefore generally be considered high.
When is a request for access to information considered
“excessive“ and therefore an abuse of rights?
To determine an abuse of rights, the Advocate General develops a key distinction. He states that the mere fact that a person has made numerous similar claims in the past is not, in itself, sufficient to prove abusive intent. The exercise of the right to compensation enshrined in Art. 82 GDPR cannot be considered abusive per se.
The decisive criterion is rather the underlying purpose of the data subject's actions. Abuse of rights occurs when it can be proven that the data subject consented to data processing (e.g., by subscribing to a newsletter) solely to submit an access request and claim compensation.
The focus is thus on the act of deliberately creating a legal relationship with the controller for the sole purpose of exploiting a potential GDPR infringement to make a compensation claim.
A controller cannot demonstrate that a request for access to personal data is excessive or abusive solely on the basis that the data subject's approach is described in public sources and considered to be an abuse of rights. Instead, they must prove, based on specific indicators such as the time of registration, the time of the information request, the type of communication, and similar factors, that the information request was made with the intention of abusing the right to access information.
Scope of liability under Article 82 GDPR
A significant part of the Opinion deals with the scope of the right to compensation under Art. 82 GDPR. While the wording of Art. 82(1) GDPR refers to damage "as a result of an infringement of this Regulation”, other paragraphs refer more specifically to damage caused by "processing."
The Advocate General argues for a broad interpretation. He concludes that a right to compensation can arise from any infringement of the GDPR, not just from an unlawful processing activity. This implies that purely procedural failures, such as the unjustified refusal to provide information pursuant to Art. 15 GDPR, can give rise to liability under Art. 82 GDPR, even if the underlying data processing itself was compliant. The potential scope of liability for controllers is thereby significantly expanded.
Requirement of proven damage
As a corrective to the broad scope of liability, the Advocate General reaffirms the established principle that an infringement of the GDPR alone does not automatically give rise to a right to compensation. The mere infringement of the provisions thereof is not sufficient to confer a right to compensation.
The claimant continues to bear the burden of proof for establishing that actual material or non-material damage has occurred. Even in cases of clear infringement, such as unlawfully refusing an access request, there is no right to compensation unless it can be demonstrated that concrete damage has been caused, such as a tangible loss of control over one's own data. This principle prevents the GDPR from becoming a strict liability regime in which every formal error is automatically penalised.
Possible implications of the Opinion
The Advocate General's opinion offers guidance to controllers on how to protect themselves against manifestly abusive practices that exploit data protection law for unrelated purposes. However, this only applies if the controller can prove the abuse. Since an unjustified refusal to provide information can result in claims for damages, such a refusal should only be made if the reasons for it are documented and legally acceptable.
Although the final decision of the ECJ is still pending, the Advocate General's opinion indicates that the GDPR cannot be exploited for abusive purposes. This nuanced interpretation is positive in that it shows that the GDPR's original purpose of protecting the data protection rights of data subjects remains paramount, and that the legal positions of data subjects and controllers are appropriately reconciled.
