An optician, a newsletter, and a 1,000 euro claim

The facts are almost comically small for a ruling this consequential. A man residing in Austria subscribed to the newsletter of Brillen Rottler, a family-run optician in Arnsberg, Germany, entering his personal data in the signup form. Thirteen days later he sent the company an access request under Article 15 GDPR. The optician refused, pointing to reports, blog articles and lawyers' newsletters describing how the same individual systematically subscribes to newsletters, files access requests, and then claims compensation. He demanded at least 1,000 euros for non-material damage caused by the refusal.

The Local Court of Arnsberg asked Luxembourg two questions that thousands of European businesses have quietly asked themselves: can a first request already be excessive, and does a refused requester automatically hold a damages claim? On 19 March 2026 the Court of Justice answered both.

What the Court actually decided

First, a single, formally correct access request may already be excessive within the meaning of Article 12(5) GDPR and may therefore be refused, where it was made not to learn what data is processed and verify its lawfulness, but with the abusive intent of artificially creating the conditions for a compensation claim under Article 82.

Second, the Court listed what a controller may rely on to demonstrate that intent: all circumstances of the case, in particular that the data subject volunteered the data without being obliged to, the purpose of providing it, the time elapsed between signup and request, and the person's conduct. Publicly available information showing a pattern of many requests followed by claims against various controllers may be taken into consideration, though not as the sole basis.

Third, the damages side. Compensation under Article 82 requires proof of actual material or non-material damage, and it is unavailable where the claimant's own conduct is the determining cause of the damage. Loss of control over one's data remains compensable in principle, but a manufactured loss is not a loss the controller caused.

The claim industry this ruling defunds

The business model the Court describes has a name in practice: GDPR hopping. Subscribe to dozens of newsletters, fire off access requests, wait for a controller to miss the one-month deadline or answer incompletely, then demand a few hundred to a few thousand euros for non-material damage. The model scales because answering is costly and settling is cheap. Small companies, exactly the family-run kind at the centre of this case, were its preferred targets.

The ruling attacks the model at both ends. The request itself can be refused where abusive intent is demonstrable, and the payout collapses where the damage was engineered by the claimant. What remains untouched is the honest requester: the Court reaffirmed that access exists so people can verify lawfulness, and nothing in the judgment licenses controllers to screen requests by suspicion or annoyance.

What to change in your DSAR handling

The wrong reading of this judgment is that you may now refuse uncomfortable requests. The burden of demonstrating abuse is on you, the evidence must go beyond a feeling, and a wrongly refused request still exposes you to complaints, fines and damages. The right reading is that evidence discipline pays: log every request with its timing and context, answer within the deadline as the default, and treat refusal as the documented exception for which you build a dossier first.

For owners the operational move is a written DSAR triage: who assesses requests, against which criteria from this ruling, who signs off on a refusal, and where the supporting evidence is filed. That paper trail is what turns a court-approved defence into one you can actually use.