Mani-first-ly vexatious or excessive: when can a single DSAR be refused under Art 12(5)

26 March 2026

On 19 March 2026, the Court of Justice of the EU (‘CJEU’) handed down judgment in Brillen Rottler GmbH & Co (Case C-526/24).

Brillen Rottler, a family-run opticians, sought a declaration in respect of its refusal to comply with a data subject access request (‘DSAR’) which it contended fell under Art 12(5) of the GDPR as manifestly unfounded or excessive. The data subject signed up for Brillen Rottler’s newsletter – entering his personal data on their website and consenting to its processing – and very shortly thereafter made his DSAR pursuant to Art 15 GDPR. Brillen Rottler declined to comply with it, citing Art 12(5) and referring to reports, blogs and lawyers’ newsletters that indicated the data subject systemically and abusively made DSARs, solely in order to obtain compensation for alleged infringements of the GDPR, which he had deliberately provoked. The data subject responded by demanding 1,000 euros in compensation, which one suspects will not have dispelled Brillen Rottler’s impression of him.

The matter was referred to the CJEU, which held that even a first DSAR may be “excessive” within the meaning of Art 12(5) GDPR. The Court justified this – in part – on the basis of “the general principle of EU law to the effect that EU law cannot be relied on for abusive or fraudulent ends” (see [30]). Provided that a controller can demonstrate in the circumstances of a particular case that the data subject bears an “abusive intention”, it may avail himself of the protection of Art 12(5) ([31]). Such a finding will be “exceptional” and subject to “strict criteria” ([35]). Those criteria are both objective (the circumstances of the case in which the purpose of the legislation has not been achieved) and subjective (the intention of the data subject “to obtain an advantage from the EU rules by artificially creating the conditions laid down for obtaining it”) ([36]). It was repeatedly noted that – as is explicitly set out in Art 12(5) – the burden of proof lies with the data controller.

In the instant case, the CJEU did not consider that the data subject could be said to have failed the objective limb of the test: in that, his DSAR “could, formally speaking, constitute an implementation of [his] right of access in order to achieve the purpose of those rules” ([38]). However, when considering the subjective limb, the Court was persuaded by the fact that he had provided personal data voluntarily, without being obliged to do so; had swiftly made his DSAR after doing so; and, seemingly, his general “conduct” ([42]). The Court also confirmed that it was acceptable to take into account the public information relating to the data subject’s alleged modus operandi, “provided it is supported by other relevant material” ([43]).

One always has to treat somewhat cautiously how persuasive English and Welsh Courts will find a CJEU judgment post-Brexit. It is also worth noting the very specific facts of this case, where it seemingly could be evidenced that the data subject frequently submitted his personal data for processing solely so that he could allege infringement of his rights and seek compensation. One would imagine that such cases will be few and far between: particularly for data controllers who are public authorities, who will likely only hold a small amount of data pursuant to consent. Provided that a contrived and abusive intention can be demonstrated, however, it does seem possible that the rationale in Brillen Rottler could be of assistance to data controllers. The relevant ICO Guidance (available here) interestingly draws a clear distinction between the meaning of “manifestly unfounded” and “excessive” (with the circumstances in Brillen Rottler seeming to more neatly slot into the former than the latter), while also emphasizing the high bar of demonstrating either.