Call now!:

+49 711 410 190 30

  • wpml-ls-flag
  • wpml-ls-flag
Grenze für missbräuchliche DSGVO-Anfragen, Auskunftsanspruch, Datenschutzrecht, DSGVO, Rechtsanwalt

Limit for

abusive

GDPR requests.

of

Clemens Pfitzer

Can a company reject a request for information under the GDPR as an abuse of rights from the very first request? When does a company owe damages if it refuses to provide information? Is the mere suspicion that someone is systematically making data protection requests enough to provoke claims for damages?

What is it about?

In March 2023, a private individual living in Austria signed up for the newsletter of a German optician company. Just 13 days later, she submitted a request for information under data protection law as she wanted to know what personal data the company was processing about her. The optician company refused to provide the information and described the request as an abuse of rights. The reasoning: It was apparent from publicly accessible sources, blog posts and reports that the individual was following the same pattern with numerous other companies: Signing up for a newsletter, then requesting information, then claiming damages. When the person pursued their claim and demanded an additional 1,000 euros in damages, the company turned to the Arnsberg District Court. The court referred the case to the European Court of Justice.

Legal background

Data protection law grants every person the law to find out from a company what personal data about them is being processed. In principle, this right to information must be fulfilled free of charge. However, the GDPR stipulates that a controller can refuse to provide information if a request is “manifestly unfounded or excessive”. The law explicitly mentions frequent repetition as an example. But what applies if it is a first request? And what claims for damages arise in the event of a refusal to provide information?

The ECJ’s decision

With its Judgment of 19.03.2026 – Ref. C-526/24 answered three key legal questions.

Firstly, the Court clarified that even an initial request for access can be classified as excessive within the meaning of the GDPR – if the controller proves that the request does not serve the actual purpose of the right of access, namely to enable the individual to control the processing of their data and protect their laws. Instead, a request may be excessive if it was made with abusive intent, for example to artificially create the conditions for a claim for damages. Publicly available information showing that the same person has followed the same pattern with many other companies may be taken into account.

A first request for access to personal data made by the data subject to the controller may be considered “excessive” if the controller proves that this request was made with abusive intent, for example to artificially create the conditions for obtaining an advantage.

Secondly, the ECJ affirmed that the GDPR gives rise to claims for damages even if no actual data processing has taken place. Even the infringement of the right to information, i.e. the unlawful refusal to provide information, can constitute compensable damage. This is significant insofar as companies can therefore also be liable for not responding to data protection requests.

Thirdly, the ECJ clarified that the loss of control over one’s own data or uncertainty about data processing can constitute non-material damage. However, this must actually be proven. A mere assertion is not sufficient and the causal link may be broken if the data subject has caused the damage themselves through their own conduct.

What does this mean for companies?

The ruling has considerable practical significance. On the one hand, it protects companies from systematic abuse of the right to information. Anyone who can prove that an applicant always follows the same pattern and systematically generates claims for damages can also reject an initial application. On the other hand, caution is required. The burden of proof lies with the company and the hurdle is high. General assumptions are not enough. Companies should therefore always respond to requests for information in a timely manner and only claim abuse in well-documented exceptional cases.

It is also particularly important to clarify that an unlawful refusal to provide information can result in compensation for damages, even if no data has been processed. Companies should review their internal processes for dealing with data protection requests and ensure that they are processed correctly and in good time.

Conclusion

The ECJ ruling protects companies from a form of abusive use of data protection law that has already caused considerable expense and financial damage in practice.

Nevertheless, the boundary between the legitimate exercise of the right to information and abuse remains fluid. The court expressly emphasized that the intention to abuse must be proven in each individual case.

The reassuring message for companies is that anyone who can provide proof does not have to comply with the first request. In addition, requests for information must be taken seriously and responded to in a timely manner.

We are happy to

advise you about

Data protection law!

Contact form
Call now!

Our services

Advice on non-disclosure agreement and NDA

We can advise you on all legal issues relating to NDAs and non-disclosure agreements.

Mehr erfahren

Advice on artificial intelligence

We advise you on all legal issues relating to artificial intelligence (AI). From development to training and the use of AI systems.

Mehr erfahren

GTC for e-commerce

We create, check and design customized and legally compliant GTC for your e-commerce project and advise you on all questions of GTC law.

Mehr erfahren

Advice on competition law

We advise you on all questions relating to competition law and unfair competition law, examine advertising measures and advise you on advertising measures.

Mehr erfahren

Advice on patent law

We advise you on all questions of patent law, in particular licensing and enforcement of patent claims. We work together with external patent attorneys on applications and searches.

Mehr erfahren

Successful against infringement of trade secrets

We defend your know-how and trade secrets and take action against infringements to combat them quickly and effectively.

Mehr erfahren

All services

Relevant posts

Distance Learning Act does not apply to coaching

Copyright for Fender Stratocaster

Red Bull wins against Cowboys

No trademark for Pico-Balla

Copyright stings tattoo

Extra virgin only for pure olive oil

Do you have any questions?

We are happy to help you.

Contact

Maximum file size: 10MB