When is a request for information excessive? ECJ names specific test points

ECJ on misuse of requests for information
Categories:

In the „Brillen Rottler“ decision, the ECJ clarified the limits of the right to information under Art. 15 GDPR and, at the same time, the contours of compensation under EU law in accordance with Art. 82 GDPR sharpened. According to the ECJ, even a first-time request for information can be „excessive“ within the meaning of Art. 12 para. 5 GDPR be, if the Responsible persons proves that the request does not serve to control the data processing, but is made improperly to artificially create claims for damages.

Request for information is rejected due to excess

In practice, claims for information under Art. 15 GDPR to the most important rights of data subjects. For Responsible persons However, they regularly represent an area of tension. On the one hand, the Right to information a central transparency instrument and a prerequisite for the effective perception of further Rights of data subjects. On the other hand, there is an increasing number of constellations in which requests for information are obviously not primarily based on Transparency, but to generate pressure, costs or claims for damages.

The ECJ now had to decide on a referral from the Arnsberg District Court. The affected person had subscribed to the newsletter of an optician's company and in doing so personal data in the online form. Just 13 days later, she submitted a request for information in accordance with Art. 15 GDPR. The company Brillen Rottler rejected the request as it was abusive. It was apparent from various media reports, blog posts and reports from lawyers that the applicant systematically registered for newsletters from various companies, then requested information and finally demanded compensation. The affected Person, on the other hand, considered her application to be legitimate and demanded at least 1,000 euros in non-material damages for the refusal to provide information.

The Court thus had to answer two highly relevant practical questions: Under what conditions may a request for information be rejected as excessive and abusive? And can the violation of the right to information as such give rise to a claim for damages under Art. 82 GDPR justify?

First request for information can be excessive

The central first finding of the ECJ is that a request for information does not have to have been made repeatedly in order to be considered excessive within the meaning of Art. 12(5) of the GDPR. GDPR to apply. Although the standard explicitly mentions „frequent repetition“, this is only by way of example. The Court therefore rejects any schematic view according to which a first application can never be conceptually excessive.

With its decision, the ECJ ties in with the wording and system of the GDPR an. In common parlance, the term „excessive“ describes behavior that exceeds what is reasonable or permissible. However, this does not mean that only quantitative excesses can be meant. A qualitatively abusive application can also be excessive. At the same time, the Court emphasizes that Art. 12 para. 5 GDPR as an exception to the fundamental free and facilitated exercise of the Rights of data subjects is to be interpreted narrowly. High standards therefore apply to the assumption of an excessive initial application.

For practical purposes, it is particularly important that the ECJ has ruled that Art. 12 para. 5 GDPR into the general principle of abuse under EU law. Rights of data subjects must not be exploited in a fraudulent or abusive manner. The ruling thus strengthens those responsible where applications are clearly not used for data protection control but for the formulaic production of claims.

Proof of intent to abuse required

The Court of Justice requires an overall assessment of all relevant circumstances for the assumption of an abusive excessive application. The decisive factor is whether the application actually serves the purpose of Art. 15 GDPR namely to raise awareness of the Processing and the review of their legality. If this purpose is missing and the aim is instead to artificially create the conditions for a financial benefit from the GDPR to create a new job, this may constitute misuse.

The ECJ mentions several circumstances that can be included in this assessment:

  • the voluntary provision of data,
  • the purpose of this provision,
  • the short time interval between the provision of data and the request for information and
  • the overall behavior of the person concerned.


It should be particularly emphasized that publicly available information on a systematic approach may also be taken into account. However, such information is not sufficient in isolation. It can be an indication, but must be confirmed by other circumstances. This also corresponds to the exceptional nature of Art. 12 para. 5 GDPR. According to the ECJ, a first application may be abusive if it is not subject to the control of the Processing, but serves solely to create the conditions for compensation. Several similar cases can be an indication of this.

Compensation under Art. 82 GDPR also in the event of a breach of the right of access

The second part of the decision is equally important. The ECJ clarifies that Art. 82 para. 1 GDPR is not limited to damages resulting directly from data processing. A claim for damages can therefore also arise from the violation of the right to information pursuant to Art. 15 para. 1 GDPR are created.

The Court thus rejects a narrow, purely processing-related interpretation of Art. 82 GDPR back. The GDPR not only protects against unlawful Processing, but also grants independent Rights of data subjects, whose effective enforcement must be secured under EU law. If Art. 82 GDPR to cases of direct Processing the protection of these rights would be partially invalidated. A claim for damages can therefore also be asserted in the event of a breach of the right to information about personal data exist.

No automatism: Infringement alone is not enough

However, the ECJ also makes it clear that not every Infringement against the GDPR automatically leads to a claim for damages. The three known requirements are still necessary.

  1. Infringement against the GDPR,
  2. actual material or immaterial damage and
  3. Causal link between Infringement and damage.


This is precisely where the balancing function of the decision lies. The Court of Justice extends Art. 82 GDPR is not unlimited. It does confirm that the violation of the right to information can also be relevant to liability. At the same time, however, it remains the case that the affected person must demonstrate and prove real damage. An abstract violation of the law is not sufficient. This corresponds to the previous line of the ECJ on Art. 82 GDPR.

Loss of control and uncertainty as immaterial damage

With regard to non-material damage, the Court recognizes that the loss of control over personal data or the uncertainty as to whether data has been processed can, in principle, constitute compensable non-material damage. This in particular Right to information aims to eliminate information asymmetries and give data subjects control over their data.

However, the ECJ also remains differentiated here. The mere assertion of a fear is not sufficient. An actual non-material disadvantage must be proven. In addition, the causal link may be broken if the person's own conduct was the decisive cause of the alleged damage.

Therefore, anyone who deliberately provides data with the intention of subsequently creating the conditions for a claim for damages cannot simply invoke a loss of control that was created in the first place.

Reading tip: BAG: “Annoyance” over delayed information is not sufficient for damages

Classification of the "Brillen Rottler" decision in practice

The decision is neither a „carte blanche” to reject inconvenient requests for information nor an invitation to strategic mass requests. Rather, it marks a balanced middle way under EU law.

For Responsible persons this initially means that the hurdles for assuming an excessive initial application remain high. A blanket reference to abuse is not permissible. Anyone who submits an application pursuant to Art. 12 para. 5 GDPR If the employer wishes to reject the application, he must be able to document in a comprehensible manner the specific circumstances that indicate that the Affected parties not the legality of the Processing wants to examine. Mere assumptions, general skepticism or a conflict-oriented pursuit of claims are not sufficient.

At the same time, the ruling strengthens the defense options in abuse-related cases. In conspicuous constellations Responsible persons carry out a structured abuse check. Relevant indicators can be: an extremely short interval between data entry and request for information, obviously artificially created contact constellations, parallel claim patterns against numerous responsible parties as well as public indications of a standardized procedure. However, the overall view always remains decisive.

For processing practice, the ruling also means that rejections must be justified with particular care. Who Art. 12 para. 5 GDPR bears the burden of presentation and proof. For this reason alone, a documented case-by-case review involving the data protection and legal department is recommended on a regular basis.

The decision also sets clear limits for the affected parties. The judicial enforcement of claims for information remains legitimate. The assertion of claims for damages is also not abusive per se. However, abuse only exists if the Right to information is used contrary to its function. In other words, it no longer meets the protective purpose of Art. 15 GDPR but is merely used as a vehicle for the artificial generation of claims.

Source: ECJ decision “Brillen Rottler” (C-526/24 of March 19, 2026)

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts