https://usancen.lawthek.eu/en/blog/lawthek/limits-for-abusive-gdpr-requests-dd2e1514/
Data Privacy Law 

Limits for Abusive GDPR Requests

Benn-Ibler Rechtsanwälte

GDPR  General Data Protection Regulation  compensation for damages  personal data  request for information 

In the case at hand, a person living in Austria had signed up for a German optician’s newsletter by entering personal information into the company’s online registration form. Several weeks later, the individual contacted the optician's shop to request information under the General Data Protection Regulation (GDPR).

Request refused because of misuse

The optician shop refused the application, labelling it as abusive. Media reports suggest the applicant intentionally subscribed to multiple company newsletters, requested information, and then sought compensation. In this particular case, despite the rejection, the applicant continued to demand at least EUR 1,000.00 as compensation for the alleged non-material harm caused by the denial.

Personal data requests can be deemed excessive

A district court in Germany, which is dealing with the aforementioned requests has referred a preliminary question to the Court of Justice of the European Union (CJEU) on whether a first request by the individual for information about their personal data can be considered ‘excessive’ and whether this individual has a right to compensation for damages arising from a breach of the right to information about these data.

The CJEU found that even a first request for information can, under certain circumstances, already be considered ‘excessive’ within the meaning of the GDPR and thus may be deemed abusive.

This is the case when the data controller can demonstrate that, despite formal compliance with the requirements set out in the GDPR for submitting an information request, this request was not actually made.

The fact that the data subject has previously submitted several requests for information about their personal data, followed by claims for compensation against various controllers can be considered when determining such an abusive intent.

Individuals who have experienced material or non-material harm as a result of a GDPR violation—including breaches concerning the right to information about personal data—are eligible to seek compensation from the data controller. The Court has established that such individuals must provide evidence of actual damage as a prerequisite for compensation. Additionally, compensation under the GDPR is not available if the individual’s own actions were the primary cause of the damage.

 

 CJEU C-526/24 (19 March 2026)



More Services

LawThek Efficient Legal Information LawThek uses cutting-edge technologies like graph databases and AI to make legal information accessible. (opens in new tab) JobThek Legal Jobs The job board for legal professionals – find your next career opportunity in the legal sector. (opens in new tab) LegalNetics Innovative LegalTech Solutions Transform your legal documents into connected knowledge with LegalNetics. (opens in new tab)