Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Germany
CMS Germany Abroad
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
Press releases
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office - Press Room Germany
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Deutsch English
Legal Update

CJEU on the GDPR: Abuse of rights, causation and compensation

27 Apr 2026 Germany 7 min read
CJEU rules on right of access under Article 15 GDPR and on compensation under Article 82 GDPR. When is the assertion of GDPR rights considered an abuse of rights?

Having already handed down a number of relevant decisions on GDPR compensation in recent years, the Court of Justice of the European Union (CJEU) is continuing with the course of its case law in 2026, focusing in particular on the right of access under Article 15 GDPR. In the German proceedings Case C-526/24 ("Brillen Rottler"), various legal questions arose regarding the right of access under Article 15 GDPR and the right to compensation under Article 82 GDPR, which had previously been a subject of dispute in German courts. The focus was on three aspects in particular: the limits of abusive requests for access, the scope of the right to compensation under Article 82 GDPR, and the question of the conditions under which a causal link between a breach of the GDPR and damage is established.

Alleged "GDPR hopper" requests access after 13 days and subsequently seeks compensation

The proceedings were based on something that seems to be a growing trend: In 2023, a person resident in Austria subscribed to the Brillen Rottler GmbH & Co. KG newsletter via the company’s website. Just 13 days after subscribing, they submitted a request for access under Article 15 GDPR. The company rejected the request within the one-month time limit, citing Article 12 (5), second sentence, GDPR. It considered the request for access to be an abuse of the law. The company had investigated the matter and come across evidence suggesting that the individual in question was systematically submitting requests for access with a view to subsequently claiming compensation. This approach is typical of so-called "GDPR hoppers".

After the request for access was rejected, the data subject claimed compensation in the amount of EUR 1,000 for non-material damage under Article 82 GDPR. The company subsequently brought an action for a declaratory judgment that the claim did not exist; the individual concerned filed a counterclaim seeking compensation. Preliminary proceedings before CJEU referred from Arnsberg Local Court Arnsberg Local Court, which is hearing the case, referred several questions regarding interpretation of the GDPR to the Court of Justice of the European Union in its decision of 31 July 2024 (42 C 434/23). These concerned, in particular, the conditions for an "excessive" request for access and the scope of the right to compensation under Article 82 GDPR.

Can the very first request for access be "excessive" and therefore constitute an abuse of law?

Arnsberg Local Court first sought to determine whether an initial request for access could already be classified as "excessive" within the meaning of Article 12 (5), second sentence, GDPR. The CJEU expressly confirms that it can. It is not the number of requests that is decisive, rather their nature. However, the concept of an "excessive request" must be interpreted narrowly, meaning that strict criteria must be applied when determining whether there has been an abuse. In the view of the CJEU, determining whether conduct constitutes an abuse must be assessed on two levels:

  • Objective element: The objective of the GDPR is not being achieved, although the requirements are technically being complied with.
     
  • Subjective element: The person concerned intends to gain an advantage by artificially creating the conditions for a claim.

The burden of proof regarding the fulfilment of these conditions lies with the data controller. All the circumstances surrounding the individual case must be taken into consideration. The CJEU mentions, for example, the voluntary provision of the data, the purpose of such provision, the time elapsed between the data being entered and the request for access, and the data subject’s conduct overall.  

Taking publicly available information into account

Another practical question concerned the possibility of using publicly available information as evidence of improper conduct. The CJEU also confirmed this. For example, it is possible to take into account whether a person repeatedly submits requests for access to information to various data controllers and subsequently files claims for compensation. However, this is not sufficient in itself. Rather, all of the relevant circumstances must be assessed comprehensively.

Compensation under Article 82 GDPR even if data is not "processed"

The CJEU’s clarification regarding the scope of Article 82 GDPR is of considerable importance in practice. The Court has opted for a broad interpretation. In principle, a claim for compensation can arise in the event of any breach of the GDPR – regardless of whether it is directly linked to data processing. The CJEU refers, in particular, to the wording of Article 82 (1) GDPR and to recital 141. If compensation claims were limited to infringements relating to data processing, it would significantly undermine the effectiveness of data subjects' rights in practice.

The CJEU has therefore made it clear that a breach of the right of access under Article 15 GDPR may, in principle, also give rise to a claim for compensation. The issue had previously been a matter of dispute in German courts. The German Federal Labour Court had most recently expressly left this question open (BAG, judgment of 20 February 2025 – 8 AZR 61/24).

Causation between data protection breach and damage as a mandatory prerequisite
At the same time, the CJEU reaffirms its established case law according to which a claim for compensation does not automatically arise from every breach of the GDPR. Rather, three conditions must be met cumulatively:

  • a breach of the GDPR,
  • damage and
  • a causal link between the breach and the damage.

The burden of illustration and proof lies with data subject

At the same time, the CJEU maintains that non-material damage may arise simply from the loss of control over personal data or from uncertainty regarding its processing, even without the need to prove that the data has actually been misused.

Breach of causal link due to data subject's own conduct

The question of whether the conduct of the data subject themselves can break the causal link is of particular importance. The CJEU expressly confirms that it can. There is no entitlement to compensation if the damage claimed is ultimately attributable to a decision made independently by the data subject. This is particularly the case where the data subject deliberately provides their personal data with the specific intention of provoking a breach of the GDPR and subsequently claiming compensation. In such a scenario, the required element of liability for the damage is lacking, as the causal link is broken by the data subject's conduct.

With its decision, the CJEU provides important practical guidance.

Data controllers will have greater legal certainty when dealing with abusive requests for access. In particular, they do not have to wait for several requests to be submitted; instead, they can reject an initial request on the basis of the strict conditions set out in Article 12(5), second sentence, GDPR.

At the same time, it will be easier to prove malicious intent because publicly available information can also be taken into account. Furthermore, the CJEU is broadening the scope of Article 82 GDPR by allowing for compensation even for breaches of formal obligations. This leads to increased liability risks for companies. Against this background, it is advisable for data controllers to carefully review the process for handling requests from data subjects and ensure that it is carefully documented. Now Arnsberg Local Court has to rule on the case taking into account the principles established by the CJEU in this decision.

Our regularly updated German blog post on the case law on compensation in accordance with Article 82 GDPR provides up-to-date information on this topic.

More insights
Data Protection Law & IT Security Law GDPR Data protection compliance

Explore more

Legal Update Germany

DSGVO-Schadensersatz: laufend aktualisierte Urteilsübersicht

20 Feb 2026

Related expertise

Data protection compliance

Data Protection Law & IT Security Law

Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.