Most organisations handling personal data will have received at least one subject access request that does not appear to have been made in good faith.
Whether submitted by a ‘cookie troll’ — an individual who systematically triggers consent mechanisms to generate compensation claims — or by someone using the process for what seems like collateral purposes, the phenomenon can be frustrating and operationally challenging in equal measure.
Last week, the Court of Justice of the European Union (CJEU) issued a judgment that will likely mark the beginning of the end for the serial litigant business model and also provides controllers with a firmer footing to reject other subject rights requests that are abusive in nature.
The Facts
The case concerned Brillen Rottler, a family-run opticians in Germany, that received an Article 15 GDPR access request from an individual in Austria. That individual had subscribed to the company’s newsletter 13 days earlier — and when Brillen Rottler declined to comply with the request, the individual sought EUR 1,000 in non-material damages.
In its defence, Brillen Rottler presented evidence that the individual had a history of subscribing to companies’ newsletters and filing subject access requests shortly thereafter, then demanding compensation if the response was not to their satisfaction. Brillen Rottler argued that this was not a genuine exercise of the requester’s data protection rights, but rather something more akin to a shakedown.
The referring court asked the CJEU whether such conduct could render a subject access request “excessive” for the purposes of Article 12(5) of the GDPR, even if it was the first request that the individual had made to that controller. Last Thursday (19 March 2026), the Court answered “yes” and “yes.”
Article 12(5) of the GDPR entitles controllers to refuse requests that are “manifestly unfounded or excessive”, with “repeated” requests being one such example. But the CJEU made clear that the reference to repetition is “solely by way of example” — and, importantly, that a single request can be excessive if the circumstances demonstrate abusive intent.
The Court framed its analysis as an application of a fundamental principle of EU law: that individuals may not fraudulently or abusively rely on rights conferred by Union legislation. The test is whether the controller can demonstrate “unequivocally” that the data subject submitted the request “for the purpose of artificially creating the conditions laid down for obtaining compensation”, rather than “for the purpose of being aware of the processing … and verifying the lawfulness of that processing”. In other words, purpose matters.
What Constitutes An Abusive DSAR?
The CJEU provided a non-exhaustive list of factors that may be relevant in constituting evidence of abusive intent:
Whether the data subject voluntarily provided their personal data. An individual who registers for a service that they have no intention of using, solely to manufacture the grounds for a legal claim, is in a different position to a person whose data were collected without meaningful choice or where provision was effectively unavoidable.
The purpose for which the data subject provided their personal data. Where the only objectively plausible explanation for the provision of data is the deliberate creation of a future claim, that inference weighs heavily against the good faith of any access request that follows.
The interval between provision of personal data and the submission of the access request. A short period — 13 days, as in Brillen Rottler — may be suggestive of an ulterior motive. The shorter the interval, the more difficult it is to maintain that the request reflects a genuine desire to understand or verify how the requester’s data are being processed.
The wider conduct of the data subject. Whether the individual has a documented history of similar behaviour is a relevant consideration, and the CJEU confirmed that controllers may rely on external evidence, including published reports and journalistic investigations documenting serial request-and-claim patterns.
None of these factors are determinative in isolation, and the burden of demonstrating abuse lies with the controller. What’s more, many subject access requests are made in good faith — and even those that accompany a challenging process (e.g., a corporate redundancy exercise) are not prima facie abusive.
In that respect, Brillen Rottler doesn’t give controllers an ‘out’ for resisting requests that might look like they are designed to frustrate or seem to have been made in less than good faith. Controllers wishing to resist on that basis must still clear the high threshold under Article 12(5) of the GDPR — a bar that, as the case itself illustrates, courts will not lower merely because the requester's motives are suspect. But for organisations that have watched the GDPR bounty hunter phenomenon with growing frustration, this case is a meaningful development.
Causation Counts
Brillen Rottler also addresses what happens when a controller does infringe the GDPR — whether by failing to respond adequately to, or by wrongly refusing, a request — and the data subject seeks compensation under Article 82. In short, the CJEU held that even where an infringement exists, the individual must prove that they have suffered actual damage. Crucially, if their conduct was “the determining cause” of that damage, they are not entitled to compensation.
This conclusion has fatal implications for the serial litigant model. If an individual deliberately creates the conditions that give rise to the alleged harm (e.g., by providing data unnecessarily, by timing their requests to maximise the likelihood of controller error, and by documenting the process with a claim in mind), the causal chain between the controller’s conduct and the damages claimed by the data subject is broken. The CJEU makes clear that, in such cases, the requester cannot profit from their own cunning.
That said, Brillen Rottler does not give controllers a licence to refuse access requests that they find inconvenient or suspicious. An individual who submits a request for legitimate reasons is entitled to exercise their GDPR rights — even if that person is litigious or difficult to deal with. Nor does the judgment change the fundamental nature of the right of access, which exists to enable data subjects to understand what personal data are held about them and to verify the lawfulness of processing.
Considerations For Controllers
Brillen Rottler will not alter a controller’s obligations for many of the subject access requests that it receives. But the judgment recognises that data protection rights are not absolute and must be balanced against other fundamental rights in accordance with the principle of proportionality. The right of access is a tool for transparency and accountability, and not a mechanism for extracting settlements, and its exercise must be consistent with that purpose.
However, refusing manifestly abusive requests is now on firmer ground. Where the circumstances clearly indicate that a request is designed to generate a compensation claim, rather than to exercise a fundamental data protection right, controllers have a defensible basis for declining to comply.
But organisations that seek to rely on Article 12(5) of the GDPR should be prepared to demonstrate the indicators of abuse. That means capturing the timeline of engagement, identifying public information about the requester’s conduct, and articulating clearly why the request falls outside the legitimate scope of Article 15 of the GDPR.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.