On 19 March 2026, the Court of Justice of the European Union (CJEU or Court) issued its judgment in Case C-526/24, Brillen Rottler GmbH & Co. KG v TC. The case concerned a data subject who subscribed to a German optician’s newsletter and, thirteen days later, submitted an access request under Article 15 GDPR. The company refused the request, arguing it was abusive. The data subject maintained it was legitimate and claimed at least €1.000 in non-material damages.
The CJEU’s judgment addresses three questions of broad significance: (1) when a first access request can be refused as “excessive”; (2) whether a violation of the right of access alone can give rise to a compensation claim under Article 82 GDPR; and (3) how non-material damage should be assessed in that context. While the judgment is relevant to all companies subject tot GDPR, we examine below the considerations it raises for life sciences companies specifically.
1. First access requests can be refused as excessive, but the bar is high
The CJEU confirmed that even a first access request under Article 15 GDPR can be refused as “excessive” within the meaning of Article 12(5) GDPR. The repetitive nature of requests is merely one indicator of excess, not a prerequisite.
However, the Court was clear that this is an exception that must be interpreted strictly. To refuse a first request, the controller must demonstrate, based on all relevant circumstances, that the data subject submitted the request not to understand how their data is being processed or to verify its lawfulness, but with an abusive intent: for example in this case, to artificially create the conditions for obtaining compensation under the GDPR.
Relevant circumstances to assess abusive intent include: whether the data subject provided their personal data voluntarily without being obliged to do so, the stated purpose of that provision, the time elapsed between the provision of data and the access request, and the data subject’s conduct more broadly. Publicly available information showing that the same individual has submitted numerous access requests followed by compensation claims against multiple controllers can also be taken into account, provided it is corroborated by other evidence. The judgment confirms that the burden of proof rests firmly on the controller.
Practical impact for life sciences companies: Although many processing activities in the life sciences sector do not involve the voluntary provision of personal data in the sense contemplated by the Court, given that data is often provided out of therapeutic necessity, professional obligation or legal requirement, there are circumstances where the Brillen Rottler pattern may arise. These include commercial and communications activities such as HCP portals, medical information services, newsletter subscriptions and congress registrations, where individuals provide their personal data on a wholly discretionary basis. In those contexts, the judgment is useful because it confirms that controllers are not without recourse when faced with access requests made not to understand or verify the processing of personal data, but to manufacture a compensation claim. That said, the threshold is high and the burden of proof rests entirely on the controller, meaning that companies should ensure the circumstances surrounding each access request are carefully documented from the outset so that any refusal decision can be substantiated if challenged.
2. Compensation is available for breaches of the right of access, without requiring a processing activity
The CJEU ruled that Article 82(1) GDPR confers a right to compensation for damage resulting from a breach of the right of access under Article 15(1) GDPR, even if that breach does not itself involve an act of data “processing”.
The Court reasoned that Article 82(1) refers broadly to “a violation of this Regulation” and contains no restriction to processing-related violations. Limiting compensation to processing acts would undermine the effective protection of data subjects’ rights and deprive many Chapter III rights, including the rights of access, rectification and erasure, of their practical effect, given that violations of those rights often arise precisely from a controller’s refusal to act, rather than from the processing itself.
Practical impact for life sciences companies: The judgment has direct implications for how life sciences companies handle access requests. A wrongful refusal, even if no underlying data processing is itself unlawful, can trigger a damages claim. Companies that refuse access requests on the basis of the “excessive” exception must be confident they can meet the evidentiary standard required by the Court. A poorly documented or unjustified refusal exposes the company to compensation liability, irrespective of the underlying processing activities.
3. Non-material damage: loss of control is in scope, but must be proven
On the question of what constitutes compensable non-material damage, the Court confirmed that loss of control over personal data and uncertainty as to whether data has been processed can in principle constitute non-material damage within the meaning of Article 82(1) GDPR.
However, this is not automatic. The data subject must demonstrate that they actually suffered such damage and that the damage is distinct from the mere fact of the existence of a GDPR violation. A bare allegation of concern is insufficient.
The Court introduced an important nuance. Where the data subject’s own conduct was the determining cause of the alleged damage, the causal link is broken and no compensation can be awarded. This will be the case where the data subject deliberately submitted their personal data in order to manufacture a compensation claim rather than for any genuine purpose. The so-called self-inflicted damage does not give rise to a right to compensation under Article 82(1) GDPR.
Practical impact for life sciences companies: For life sciences companies facing compensation claims following a refused or delayed access request, this ruling provides a potentially important defence. Where the evidence shows that a data subject submitted their personal data for the sole purpose of triggering a compensation claim, rather than for any genuine engagement with the company’s services or research, the company can argue that the causal link between any alleged damage and the company’s conduct is severed by the data subject’s own behaviour. This argument must, however, be made carefully and on the specific facts.
Key Takeaways
- Companies may refuse even a first access request as “excessive” under Article 12(5) GDPR, but only where they can demonstrate, based on all relevant circumstances, an abusive intent on the part of the data subject. The burden of proof lies with the controller and the threshold is high.
- A wrongful refusal of an access request can give rise to a compensation claim under Article 82(1) GDPR, even in the absence of any unlawful processing act. Life sciences companies should ensure that access request refusals are robustly documented and legally defensible.
- Non-material damage can include loss of control over personal data, but the data subject must demonstrate actual damage. Where the data subject’s own conduct was the determining cause of the damage, no compensation is due.
- Companies should review their data subject access request (DSAR) response procedures in light of this judgment, paying particular attention to: (i) the evidentiary documentation required to support a refusal decision; (ii) the risk of compensation claims following unjustified refusals; and (iii) the circumstances in which a causal link defence may be available.