Bottom line: The EU Court of Justice has clarified that even a first access request under Art. 15 GDPR can constitute abuse of rights if it aims exclusively at damages. Companies can refuse such requests but must meet high evidentiary requirements. Furthermore, data subjects can claim damages if violation of the right of access causes immaterial harm.
The Court of Justice of the European Union has for the first time clarified that even an initial access request under Art. 15 GDPR can constitute abuse of rights. The decisive factor is the requestor’s intent, not the number of requests.
An Austrian consumer had signed up for a newsletter from a German optician and subsequently filed an access request. The company refused, invoking abuse of rights. The case reached the Court of Justice of the European Union (CJEU), which clarified important principles regarding abuse of access rights.
The Court confirmed for the first time expressly that an initial access request can constitute abuse of rights. What matters is not the number of requests, but the intent with which they are made. A request is excessive if it does not serve transparency but aims exclusively at artificially creating prerequisites for claims for damages.
However, the Court of Justice emphasizes that the evidentiary requirements for proving abuse are high. Companies can rely on publicly available sources showing that a person proceeds systematically in comparable cases. This is not proof, but an important indication in an overall assessment. Also relevant are the timing of data transmission, the time elapsed since the request, and the data subject’s conduct before and after the request.
The CJEU makes clear that claims for damages under Art. 82 GDPR can be asserted even when the harm results solely from violation of the right of access. Unlawful data processing is not required. The Court recognizes both loss of control over personal data and uncertainty regarding its processing as immaterial harm, provided such harm actually occurred and was not caused by the data subject’s own conduct.
The ruling provides valuable guidance to companies. The right of access remains a key transparency instrument and must in principle be applied generously. At the same time, the CJEU shows that controllers are not defenseless against abusive requests. They can refuse a request if they can demonstrate plausible evidence of intentional abuse – but subject to high thresholds, as a two-stage proof is required: objective circumstances indicating artificially created conditions, as well as a subjective element of abusive intent.
Source: www.activemind.legal