Targeted delineation of the right of access
The judgment in case C-526/24 marks a turning point. While the ECJ has steadily expanded the right of access under Art. 15 GDPR in the past (e.g. in the FT judgment, C-307/22), it has now for the first time introduced a substantial limitation through the plea of abuse of rights.
Abuse of rights: qualitative rather than solely quantitative assessment
The ECJ confirms that even an initial request for access can be "excessive" within the meaning of Art. 12(5) GDPR. The key consideration here is the abusive intent, rather than the mere number of requests. In this regard, the Court employsapplies the two-stage test (objective and subjective elements) from its previous case law on abuse to the relationship between data subjects and controllers. This methodological transfer is based on the fact that the principles developed regarding Art. 57(4) GDPR are applicable to Art. 12(5) GDPR due to their identical wording and purpose.
According to the ECJ, proving an abusive practice requires two elements:
- An objective element: circumstances showing that the purpose of the regulation was not achieved despite formal compliance.
- A subjective element: the intent to artificially create the conditions for obtaining an advantage under the GDPR (such as compensation).
It is worth noting in this context that the ECJ expressly considers it permissible to take into account publicly available information regarding a systematic approach involving requests for access and subsequent claims for damages. Such information must, however, be confirmed by further relevant indications in the specific case. These include, in particular, the time elapsed between the provision of data and the request for access – merely 13 days in the main proceedings – as well as the data subject's overall conduct.
The judgment thus establishes EU-wide legal standards for an issue on which German case law has not yet provided a uniform answer: while some German Higher Regional Courts (such as Hamm Higher Regional Court) had already regarded motives unrelated to data protection as an indication of abuse, others (such as Cologne Higher Regional Court) had strictly rejected any inquiry into motive. The ECJ now expressly endorses such an inquiry in cases involving the artificial creation of grounds for litigation.
Liability without "processing": a dogmatic breakthrough
The Court's ruling on Article 82(1) of the GDPR is of particular relevance in practice: a claim for damages can also arise from infringements that do not imply direct data processing, such as the mere unlawful refusal to provide access.
The Court bases this on the wording of Article 82(1) of the GDPR, which refers generally to a "breach of this Regulation", as well as on the provision's systematic placement within Chapter VIII of the GDPR. Accordingly, the provision protects not only data processing operations in the strict sense, but also the data subjects' rights set out in Chapter III, which specifically include the right of access.
The ECJ thus corrects a restrictive reading of its Österreichische Post judgment (C-300/21). It clarifies that Art. 82(2) GDPR merely "supplements" paragraph 1 but does not limit it to pure processing operations. This strengthens the level of protection for data subjects on the one hand and extends the liability of data controllers on the other. It has immediate consequences for pending proceedings.
The actual innovation: breaking the causal link through own conduct
Finally, the ECJ's ruling on the causal link is of particular interest. The ECJ’s ruling goes beyond the Advocate General's Opinion (cf. our previous post) by establishing the interruption of causality as a central defence tool for controllers. The Court has determined that, in accordance with the precedent set by the general liability case law (WS and Others v Frontex), the data subject's own conduct can break the causal link.
Anyone who deliberately induces data processing with the intention to provoke grounds for litigation may make their own conduct the "decisive cause" of the resulting damage. This could result in the complete exclusion of the controller's liability. For defence counsel, this development presents an additional argumentative framework without the ECJ lowering the standard for demonstrating the occurrence of actual damages.#
Loss of control and open questions
The ECJ has established that a loss of control, in and of itself, may constitute compensable non-pecuniary damage, without the necessity of a de minimis threshold. However, this damage is not presumed; instead, the individual must demonstrate that they have indeed suffered non-pecuniary damage. Furthermore, the data subject’s own conduct must not be the decisive cause of that damage.
However, the exact threshold for the "decisive cause" in mixed cases and the future assessment of the amount of damages by national courts remain unresolved. The question of whether serial requests by associations or legal-tech models are subject to the abuse proviso will also continue to occupy legal practice.
Recommendations for controllers
For data controllers who may be faced with abusive requests for access, the practical value of the judgment lies particularly in its guidance on structured preparation:
- Requests for information should not be rejected without careful consideration. Even in cases of suspected abuse, Article 12(5) of the GDPR remains an exception that must be interpreted narrowly.
- Controllers should define internal review processes and specify when the data protection officer, the legal department or external legal counsel should be involved, and according to which criteria a claim of abuse is assessed.
- Where there are indications to this effect, it must be assessed and documented whether the data subject’s conduct was the decisive cause of any damage claimed.
Conclusion
In its judgment in Case C-526/24, the ECJ has, on the one hand, expanded the scope of the right to compensation under Article 82 of the GDPR by expressly extending it to include infringements of the right of access. Conversely, within the framework of Article 12(5) of the GDPR, it establishes narrowly defined yet practically significant safeguards against abuse, thereby providing an essential corrective measure. It is particularly noteworthy that the ECJ attaches importance to the data subject's own conduct in terms of causation. In this manner, the GDPR is maintained as a mechanism for safeguarding fundamental rights, while also precluding its exploitation for purely financial gain in cases of provoked infringements.
