On 19 March 2026, the Court of Justice of the European Union (“CJEU”) delivered its long-awaited preliminary ruling in Case C-526/24. The CJEU confirmed that companies can refuse to act on a data subject’s access request under Article 15 GDPR for being abusive, even when this access request is exercised for the very first time. At the same time, the judgment significantly expands the exposure to compensation claims under Article 82 GDPR. 

Background

In March 2023, a data subject subscribed to a newsletter on the website of a German company. Only thirteen days later, before any meaningful subscriber relationship had been developed, the data subject submitted an access request under Article 15 GDPR. The company refused to act on the request, invoking Article 12(5) GDPR. The data subject then added a claim for compensation under Article 82 GDPR for the amount of EUR 1,000. The company submitted, based on publicly available information, that the data subject in question systematically makes access requests for the sole purpose of obtaining compensation for an alleged infringement. The company then brought legal action before a German court, requesting declaratory relief that the data subject is not entitled to any compensation.

Key findings

The CJEU confirms that even an initial data subject access request may, in exceptional circumstances, be classified as excessive or abusive. If this is the case, controllers may have the right to refuse to act on such request. In the CJEU’s view, the decisive criterion is not the form of the request, but the purpose for which it is exercised. According to the CJEU, an access request is abusive, if the controller can demonstrate that the access request was not intended to verify the lawfulness of data processing, but made solely to artificially create conditions for a compensation claim under Article 82 GDPR:

“Article 12(5) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that a first request for access to personal data made by the data subject to the controller pursuant to Article 15 of that regulation may be regarded as ‘excessive’, within the meaning of that Article 12(5), where that controller demonstrates, in the light of all the relevant circumstances of the case, that, despite formal observance of the conditions laid down by those provisions, that request was made by the data subject not for the purpose of being aware of the processing of those data and verifying the lawfulness of that processing, in order to be able, subsequently, to obtain protection of his or her rights under that regulation, but with an abusive intention, such as that of artificially creating the conditions laid down for obtaining an advantage from that regulation.”

The fact that, according to publicly available information, the data subject made a large number of requests for access to his or her personal data, followed by claims for compensation, to various controllers, may be taken into consideration for the purpose of establishing the existence of such an abusive intention. However, the CJEU stresses that the controller must demonstrate unequivocally that the request has been made with such abusive intention, meaning that it will be necessary to take into account all the circumstances of the case. 

The judgment also clarifies two issues of structural importance for Article 82 GDPR compensation claims: 

• First, the CJEU confirms that an infringement of Article 15 GDPR may trigger Article 82 GDPR compensation claims, even if the underlying processing was lawful.
• Second, the CJEU confirms its earlier position in that the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether his or her data has been processed. Furthermore, the CJEU stresses that the data subject must demonstrate that (i) the data subject actually suffered such non-material damage and (ii) the data subject’s own conduct was not the determining cause of that damage.

Accordingly, the mere refusal to act on a data subject's access request will not be sufficient to trigger compensation claims. Nor will the mere allegation by a data subject of fear caused by a loss of control over his or her personal data give rise to compensation.

Practical implications

The judgment reshapes the compliance landscape in the following main respects:

• Controllers now have a confirmed legal basis for resisting manifestly strategic access requests, including first-time ones. However, refusal must be based on a documented and substantiated factual record specific to the individual request. Controllers should implement structured processes for identifying and assessing potentially abusive requests and maintain documentary evidence capable of withstanding judicial scrutiny.
• Controllers facing Article 82 GDPR compensation claims should carefully assess whether the data subject is able to identify any real-world harm. Alleged fear can result in compensation claims only if such fear can be regarded as well founded.

Interplay with the European Commission’s Digital Omnibus Regulation Proposal

As part of its Digital Omnibus proposal of 19 November 2025, the European Commission proposed specific amendments to Article 12(5) GDPR. According to the European Commission, controllers should have the right to refuse to act on data subject access requests where the data subject “abuses the rights conferred by this Regulation for purposes other than the protection of their data”, in particular “where the data subject intends to cause the controller to refuse an access request, in order to subsequently demand the payment of compensation, potentially under the threat of bringing a claim for damages.” Similarly, “overly broad and undifferentiated requests should also be regarded as excessive”. Furthermore, in the European Commission’s view, controllers should bear a lower burden of proof regarding the excessive character of a request.

At first glance, CJEU’s ruling appears to render much of this legislative effort redundant. The CJEU has already confirmed that (i) first-time access requests can be abusive (ii) a data subject’s intention to generate compensation claims can be abusive and (iii) controllers can rely on publicly available evidence to substantiate the abusive character of an access request, all without legislative amendment.

Yet the case for legislative action remains valid: The CJEU’s ruling resolves the principle but leaves its application highly fact-sensitive and dependent on interpretation by national courts.