A request for access to personal data may be considered excessive, and therefore abusive, and be refused if it is made for the sole purpose of seeking compensation for an alleged breach of the ‘GDPR’ Regulation, the Court of Justice of the European Union ruled in a judgment handed down on Thursday 19 March (Case C-526/24).
In Germany, the optical company Brillen Rottler is refusing to give an individual living in Austria access to his personal data entered in a form available on the German company’s website. It argues that the request is abusive insofar as this individual is known for systematically subscribing to company newsletters, making a request for access and seeking compensation for the non-material damage he claims to have suffered as a result of the rejection of his request for access.
According to the Court, a first request for access may, under certain conditions, already be considered ‘excessive’ within the meaning of the ‘GDPR’ Regulation (2016/679).
This is the case when the data controller demonstrates that, despite formal observance of the conditions laid down by EU law, a request for access has been made not for the purpose of being aware of the data processing and verify its lawfulness (so as to be able to exercise a right to rectification or erasure, or a right to object), but with the intention of artificially creating the conditions required to obtain compensation, an intention that can be considered as ‘abusive’.
The fact that, according to publicly available information, the data subject has made several requests for access to his personal data, followed by requests for compensation, to the various data controllers may be taken into account in order to establish the existence of such an abusive intention, the Court adds.
See the judgment of the Court of Justice: https://aeur.eu/f/l99 (Original version in French by Mathieu Bion)