Find a lawyerOur capabilitiesYour career
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  3. Blogs
  5. Risk and Compliance
  7. When does a GDPR violation trigger compensation? The CJEU draws clearer lines in Brillen Rottler
7MIN

When does a GDPR violation trigger compensation? The CJEU draws clearer lines in Brillen Rottler

Apr 14 2026

The right of access under Art. 15 GDPR has become one of the most litigated provisions in European data protection law. Its original purpose – enabling individuals to understand and verify how their personal data are processed – is well established. In practice, however, it has increasingly been weaponized: used not to obtain information, but to manufacture compliance failures and extract compensation. As businesses face a growing volume of such claims, the question of when a GDPR violation actually gives rise to a right to compensation – and what defences are available – has become critical.

On 19 March 2026, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C‑526/24 (Brillen Rottler). The ruling addresses, among other questions, whether compensation can be claimed under Art. 82(1) GDPR for a mere refusal to provide access – even absent any actual data processing – and what role the data subject’s own conduct plays in the assessment of causation. For a detailed analysis of the CJEU’s findings on when a first access request can be refused as ‘excessive’ under Art. 12(5) GDPR, we refer to our recent blog post

The facts: a familiar playbook

The case concerned an individual from Austria who, in March 2023, subscribed to the newsletter of Brillen Rottler, a small family-run German optician company. Thirteen days later, the individual submitted an access request under Art. 15 GDPR. The company refused, classifying the request as excessive under Art. 12(5) GDPR. The individual then pursued both an access claim and a damages claim of at least EUR 1,000 under Art. 82 GDPR.

The company argued – pointing to various online reports and lawyer blog posts – that this individual systematically followed the same pattern across numerous cases: subscribe to a newsletter, file an access request, then claim damages. As the CJEU summarized, the access request was allegedly filed “for the sole purpose of obtaining compensation for an alleged infringement, which he deliberately provokes, of his rights under the GDPR.“

The referring court, the District Court of Arnsberg, stayed the proceedings and referred eight questions to the CJEU.

The CJEU recalibrates the scope of GDPR compensation

The most significant findings of the judgment concern the scope and limits of compensation under Art. 82(1) GDPR. The CJEU addressed three interconnected questions: first, whether compensation extends to violations that do not involve data processing; second, what constitutes non-material damage; and third, whether the data subject’s own conduct can sever the causal link.

Compensation is not limited to unlawful processing, but proof of specific and causal damage is still required

The CJEU first examined the wording of Art. 82(1) GDPR, which grants a right to compensation to any person who has suffered damage “as a result of an infringement of this Regulation.” The CJEU noted that this provision contains no reference to “processing”, and that limiting the right to compensation to damage resulting from data processing would undermine its effectiveness. The CJEU further noted that violations of the GDPR’s Chapter III rights – such as access, rectification, erasure or data portability – may arise not from processing itself, but from a refusal to act on a data subject’s request. Excluding such cases from the scope of Art. 82(1) would deprive the provision of its practical effect. 

Based on this reasoning, the CJEU concluded that Art. 82(1) GDPR confers a right to compensation for damage resulting from a violation of the right of access – even where the infringement does not itself involve unlawful processing of personal data. However, the CJEU’s finding does not alter the requirement that, where a data subject relies on a violation of Art. 15 GDPR in order to claim damages, they must still prove that they have suffered damage specifically linked to that violation. 

Loss of control and uncertainty can cause damage – but must be proven

The CJEU then turned to the nature of non-material damage. Drawing on recital 85 GDPR, which, in the CJEU’s view, includes “loss of control” over personal data in an illustrative list of harm, the CJEU confirmed that both a loss of control over personal data and uncertainty about whether data have been processed can in principle cause non-material damage under Art. 82(1). 

This distinction is critical: the “loss of control” is a potential cause of damage, not the damage itself. In line with the CJEU case law (also C-655/23 – Quirin Privatbank), the claimant must go further and demonstrate that this loss of control resulted in actual negative consequences. A mere assertion of fear or anxiety is insufficient; the claimant must prove that these feelings led to concrete, proven negative effects. 

There is no de minimis threshold: national law may not require the damage to reach a certain level of seriousness. However, the CJEU was equally clear that damage cannot be presumed from the mere fact of a violation. The claimant must demonstrate that they have actually suffered such damage – however minimal – and that the consequences they allege are distinct from the violation itself. 

The causation defence: the strategically decisive holding

The CJEU’s most significant contribution for defendants may be its ruling on causation. The CJEU held that the causal link between the alleged infringement and the alleged damage can be broken by the data subject’s conduct, provided that conduct proves to be the “determining cause” of the damage. Such conduct may consist of a deliberate decision by the data subject – for instance, a decision to submit personal data to a controller for the sole purpose of artificially creating the conditions for a compensation claim. Where that is the case, no compensation is owed. 

This finding is significant because it provides a self-standing defence that does not depend on whether the access request was correctly classified as “excessive” under Art. 12(5) GDPR. Even where a controller fails to meet the high evidential burden for refusing an access request, it may still defeat the compensation claim at the causation stage – provided it can show that the data subject’s conduct was in fact the determining cause of the alleged harm.

Broader context: A trend towards judicial pragmatism

This ruling is part of a broader trend of courts recalibrating the boundaries of GDPR rights. As we noted in a previous blog post on the FCJ’s ruling of 18 December 2025 in I ZR 115/25, the German Federal Court of Justice (FCJ) has also pushed back against the over-extension of access rights by strictly limiting what qualifies as “personal data” in the first place. Similarly, the FCJ has affirmed the role of 'legitimate interests' in data-driven risk management, ruling that credit rating agencies may retain privately-held data for longer, risk-based periods, a development detailed in our briefing on that landmark data retention ruling. 

Further, by explicitly referencing Recital 4 of the GDPR in its reasoning, the CJEU signals that the right to data protection is not absolute and must be balanced against other fundamental rights, such as entrepreneurial freedom, in line with the principle of proportionality. Together, these decisions reflect a welcome judicial effort to strike a more reasonable balance between individual rights and the legitimate operational interests of businesses.

What businesses should take away

Viewed from the perspective of companies regularly fielding access requests, the judgment is a mixed but ultimately positive development.

On the one hand, the broad interpretation of Art. 82(1) GDPR – extending liability to procedural failures beyond data processing – means that a wrongful refusal of access is itself an event potentially leading to compensation. Companies cannot simply ignore requests without risk.

On the other hand, the CJEU has built robust safeguards against the instrumentalization of this liability framework.

The requirement that damage must be proven – and cannot be presumed from the infringement alone – provides a first line of defence. The causation defence adds a second, but equally powerful one: where a data subject has artificially created the conditions for a claim, the causal chain is broken regardless of whether the access request was correctly refused.

Three practical recommendations emerge:

  • Document the indicators. The CJEU’s list of relevant factors – voluntary nature of data provision, purpose, timing, conduct – provides a concrete framework not only for the excessiveness assessment under Art. 12(5) GDPR but also for demonstrating an interruption of the causal link under Art. 82(1) GDPR. Companies should consider these elements when a request raises concerns.
  • Refuse only with a robust factual basis – but do not stop there. The burden of proving the excessive character of a request lies squarely with the controller, and the threshold remains high. However, even where a refusal is ultimately found to be unjustified, the causation defence remains available at the damages stage. Companies should therefore build their evidential record with both lines of defence in mind.
  • Invoke the causation defence in damages proceedings. The CJEU’s ruling on the interruption of the causal link is perhaps the most strategically significant element for defendants – particularly in mass claims, where claimants frequently follow a standardized pattern. Where a data subject has artificially created the conditions for a claim, the causal chain between the refusal and the alleged damage is broken. This provides a strong defence at the individual assessment stage of any damages proceedings.

The judgment also arrives at a pivotal moment in the legislative process. The European Commission’s Omnibus Proposal (see our previous blog post) would amend the GDPR to include an express ground for refusing access requests that abuse GDPR rights for purposes other than data protection. The CJEU’s test – centered on abusive intention – now provides a judicial benchmark against which any legislative formulation will be measured.

The judgment does not resolve every question. National courts will still need to apply these principles case by case, and the precise evidentiary standard for demonstrating both abusive intent and artificial causation will develop over time. But Brillen Rottler sends a clear signal: the GDPR’s rights framework is not a toolkit for manufacturing claims. Companies that prepare carefully and document thoroughly now have stronger ground on which to stand.

Tags

consumerconsumer protectiondisputeseu digital markets acteuropelitigationtech media and telecoms

Authors

Frankfurt am Main, Munich

Martin C. Mekat

Partner
Düsseldorf

Christoph Werkmeister

Global Co-Head of Data/Tech
Berlin

Dawid Ligocki

Principal Associate
Latest Insights

Latest Insights

NAVIGATE TO
About usLocations and officesYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

Select language:
Select language:
© 2026 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome