Data Subject Access Requests (DSARs) are increasingly being used as a tool in employment disputes across Europe. The 19 March 2026 Court of Justice of the EU (CJEU) ruling in Brillen Rottler (Case C‑526/24) therefore brings welcome clarity to this field. The ruling will allow organisations a wider margin to refuse a DSAR if they can show that it was not genuinely aimed at verifying the lawfulness of processing, though the threshold for proving abusive intention remains high.
A DSAR can be refused under GDPR Article 12(5) if it is deemed "manifestly unfounded” or “excessive". What makes this ruling important is that the CJEU determines that this applies even if it is the data subject's first request.
The case stems from Austria and an individual who had subscribed to the newsletter of the family-run optician Brillen Rottler, established in Germany. Brillen Rottler refused the request sent just 13 days after the subscription was received as they considered it to be abusive. According to Brillen Rottler, the individual systematically subscribed to newsletters of various companies before submitting a request for access and then a claim for compensation. The individual claimed compensation of at least €1000 for non-material damage that he claimed to have suffered as a result of the refusal of the DSAR.
The CJEU stated that, in order to obtain compensation, the data subject must demonstrate that he or she has actually suffered such damage. Also, the data subject cannot receive compensation for damage under the GDPR if his or her own conduct is the determining cause of the damage.
However, while controllers will not be able to rely on this decision as a consistent mechanism to avoid complying with DSARs, the decision resembles the proposed changes in the EU Digital Omnibus to GDPR’s DSAR provisions.
