When does a first DSAR become excessive?

When can a data access request cross the line from legitimate to abusive? On 19 March 2026, the European Court of Juctice ruled in Brillen Rottler (Case C-526/24)  that even a first DSAR can be refused under Article 12(5) GDPR as "excessive" where the controller demonstrates it was made with abusive intent.

The case concerned an Austrian individual who subscribed to Brillen Rottler’s newsletter and, 13 days later, submitted a DSAR under Article 15 GDPR. Within one month, the company refused the request as abusive under Article 12(5), relying on publicly available information suggesting that the individual had systematically submitted DSARs to various controllers solely to obtain compensation for alleged GDPR infringements he had deliberately engineered. The individual maintained his request and added a claim for €1,000 in non‑material damages under Article 82.

The key rulings of the Court include:

• Decisive factor is intent not just the number of requests: Whether a request is "excessive" turns on both qualitative and quantitative characteristics. While frequency or repetition may be indicators, the data subject's intent is the more decisive factor.  
• Burden of proof: Abusive intent must be demonstrated by the controller. Relevant circumstances to consider include the time elapsed between the provision of the data and the access request, the data subject's conduct (such as repeated DSARs followed by compensation claims across multiple controllers), and the underlying objective of the request.
• Exceptional for first-time requests: Reliance on Article 12(5) in respect of first-time requests should remain exceptional. The high evidential threshold remains and controllers are subject to strict criteria where a request is the first of its kind.
• Compensation requires actual damage: Article 82(1) GDPR provides a right to compensation for damage stemming from an infringement of Article 15(1) GDPR (such as where the refusal process is defective), regardless of whether the infringement involved unlawful processing. However, compensation is excluded where the data subject's own conduct was the decisive cause of the damage. 

The judgment offers controllers slightly greater flexibility to refuse DSARs not genuinely aimed at verifying the lawfulness of processing, although the evidential burden remains high. It signals clearly that GDPR rights cannot be weaponised or relied upon for abusive or opportunistic ends, albeit it will likely be rare that there is sufficient evidence to meet the threshold of an abuse of process. The judgment also recognises that the lower threshold of “uncertainty” about processing may still amount to non‑material damage. 

French perspective: DSARs as a litigation tool in employment disputes

In France, the ECJ's reasoning in Brillen Rottler resonates particularly strongly in the employment context, where DSARs are increasingly weaponised as tactical instruments or "fishing expeditions" by employees seeking leverage in disputes. French courts have, in recent months, drawn a consistent line: Article 15 confers a right to personal data, not to documents, and controllers may respond proportionately to requests that are disproportionately broad or pursue purposes extraneous to the right of access.

This emerging jurisprudence sends a clear signal: the GDPR is not a backdoor to documentary disclosure that would otherwise be unavailable in litigation. 

Brillen Rottler therefore reinforces an approach already emerging in French employment litigation. Timing, scope and context matter. Where a DSAR is made on the eve of a dispute, framed in unusually broad terms, or coupled with compensation claims, this may support an inference that the request pursues a purpose foreign to the right of access. While refusals remain exceptional and tightly policed, the focus on intent and proportionality strengthens the defensive toolkit available to employers faced with tactical DSARs.

The message for French employers is therefore nuanced: Article 12(5) is not a licence for blanket refusals, but it can operate as a narrow shield against abusive strategies, provided the refusal is carefully reasoned, proportionate and fully documented.

UK perspective: Assistance will depend on context

While Brillen Rottler applies only in the EU, the ruling is consistent with guidance from the ICO relating to the same language of "manifestly unfounded or excessive" in the UK GDPR. The ICO considers a request may be manifestly unfounded if a data subject "clearly has no intention to exercise their right or if the request is malicious in nature". 

In an employment context, the decision of Brillen Rottler is unlikely to shift the dial significantly. DSARs have long been a feature of employment disputes, by employees seeking leverage (given the potential cost in producing a response) or attempting to circumvent the lack of pre-action disclosure in UK employment tribunals. Nearly a decade ago the UK courts took the same approach as the French courts to a certain extent, reiterating that data subjects are entitled to data, not documents, and that any search for personal data only needs to be reasonable and proportionate. However, both the courts and the ICO are clear that "an employer cannot refuse to provide the information just because it thinks the person wants it for litigation purposes. The purpose behind a request is not relevant in considering whether a request is valid." At most, a "collateral purpose" may be considered as one of multiple factors in justifying whether a request is manifestly unfounded or excessive. That remains a high threshold in the UK and, as in Brillen Rottler, requires clear evidence that a data subject is abusing their rights to further their position, whether in litigation or otherwise. 

For further detail and analysis, see our Data Notes blog post.