Source: DLA Piper Privacy Matters
A European court has clarified that businesses can, in certain circumstances, refuse a data subject access request (DSAR) even if it is the very first one they receive from that person.
According to a DLA Piper Privacy Matters blog post, on 19 March 2026 the Court of Justice of the European Union (CJEU) issued its judgment in Case C-526/24, involving German optician business Brillen Rottler. The case centred on an Austrian resident, referred to only as TC, who signed up to the company's newsletter and then submitted a DSAR under Article 15 GDPR shortly afterwards. Brillen Rottler refused the request, arguing it was abusive and designed purely to trigger a compensation claim under Article 82 GDPR rather than to genuinely exercise a privacy right.
TC disputed this and reportedly sought at least €1,000 in compensation for non-material damage caused by the refusal. It is important to note that this figure is the amount TC claimed, not a fine imposed by a regulator. The matter was referred to the CJEU by a local court in Germany.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkThe Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published a draft enforcement policy for public consultation, inviting responses by 17 May 2026.
According to the DLA Piper report, the CJEU confirmed two significant points.
First, a first-time DSAR can be refused as "excessive" under Article 12(5) GDPR if the controller can demonstrate abusive intent. The court reportedly clarified that the reference to "repeated requests" in Article 12(5) is just one example of excessiveness, not the only one. The key question is whether the request was made with the intention of engineering the conditions for a compensation claim, not simply how many requests were submitted.
Second, on the question of compensation under Article 82 GDPR, the court reportedly ruled that the causal link required for a compensation claim can be broken where the data subject's own conduct is the primary driver of the alleged harm.
Because the source is a secondary blog post rather than the primary judgment text, these details should be treated with some caution until the full ruling is available.
If someone signs up to your mailing list or contact form and then quickly sends a DSAR, you do not automatically have to comply without question. However, refusing a request is not straightforward: you would need to be able to demonstrate abusive intent, and getting that wrong could still expose you to a complaint. If you want to make sure your DSAR process is solid, our GDPR compliance checklist and guide to privacy policy requirements are good places to start.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published its 2025 annual report on 2 April 2026, outlining enforcement actions and priorities across five focus areas.
The EDPB adopted its work programme for 2026-2027 during its latest plenary on 12 February 2026, focusing on easing compliance and strengthening cooperation.