Key Takeaways
- GDPR lets you refuse a subject access request only when it is manifestly unfounded or excessive (Article 12(5)) — and you, the controller, carry the burden of proving that character with clear evidence.
- In Brillen Rottler (Case C-526/24, 19 March 2026), the Court of Justice of the EU held that even a customer's first-ever access request can be "excessive" if it was made with abusive intent — but the exception "must be interpreted restrictively."
- Abuse has two parts: an objective element (the request does not serve its real purpose of verifying processing) and a subjective element (an intention to manufacture a GDPR advantage, such as a compensation claim).
- EDPB Binding Decision 1/2026 is the counterweight: a coordinated, campaign-style exercise of rights is not automatically abusive. Refuse on documented evidence, never on annoyance.
- Refuse the wrong request and you do not just lose the argument — under Brillen Rottler you can owe compensation for the breach of the right of access itself.
Introduction
Most guidance on subject access requests tells you how to answer them. This one is about the rarer, riskier decision: when you can lawfully say no. For EU and UK eCommerce operators, that question got sharper in 2026. Germany's Bavarian data protection authority (BayLDA) logged 9,746 complaints and audit prompts in 2025 — up 61% year-on-year and the highest level since GDPR took effect — and regulators are openly worried about AI-drafted request floods. Against that backdrop, the Court of Justice of the EU ruled in March 2026 that even a customer's first access request can be refused as abusive. But the same ruling, and an EDPB decision published weeks later, set a deliberately high bar. Refuse carelessly and you owe damages for the refusal itself.
This is informational content, not legal advice. For a specific request, take advice from a qualified data protection lawyer.
When Can You Refuse a Subject Access Request?
You can refuse a subject access request only when it is manifestly unfounded or excessive under Article 12(5) GDPR. Those are the sole grounds. The burden of proof sits with you, the controller — not the customer — to demonstrate that character with clear evidence, on a request-by-request basis.
Article 12(5) gives you two options when a request "manifestly unfounded or excessive, in particular because of [its] repetitive character" is received: you may either charge a reasonable fee taking into account administrative costs, or refuse to act on the request. Refusal is not a free pass — the same provision states plainly that "the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request." Article 57(4) imposes the identical test, and the identical burden, on supervisory authorities handling complaints.
The two grounds are not interchangeable. The UK's Information Commissioner's Office (ICO), in guidance last updated 8 December 2025, draws them apart like this:
| Ground | What it means (ICO) | Typical eCommerce example |
|---|---|---|
| Manifestly unfounded | The person clearly has no genuine intention to exercise the right (e.g. offers to withdraw the request in return for a benefit), or the request is malicious and used to harass with no real purpose beyond disruption. | A customer emails "delete my account and pay me €500 or I'll flood you with SARs." |
| Excessive | The request is "clearly or obviously unreasonable," weighed against proportionality factors such as burden, context, prior disclosure, and repetition within an unreasonably short interval. | Weekly identical requests after a full response was already provided. |
Two cautions from the ICO sit under that table. First, "a request is not necessarily excessive just because the person requests a large amount of information" — volume alone is not a ground. Second, there is "a high threshold for relying on the manifestly unfounded or excessive provisions," and any decision "needs to be supported by clear evidence." That mirrors the GDPR's own starting point in Recital 63: individuals should be able to exercise access "easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing." The right is the rule; refusal is the narrow exception.
What Changed in 2026: A First Request Can Now Be "Excessive"
Until 2026, many controllers assumed "excessive" was effectively a synonym for "repetitive" — and that a customer's first request was therefore automatically safe. Brillen Rottler (Case C-526/24, decided 19 March 2026 by the Fourth Chamber) ended that assumption. The CJEU held that a first access request can be excessive where the controller proves it was made with an abusive intention rather than to verify processing.
The facts are worth knowing because they define the edge case. In March 2023, an Austrian resident subscribed to the newsletter of Brillen Rottler, a German optician, by entering his details on the sign-up form. Thirteen days later he sent an Article 15 access request; the company refused it as abusive; he then claimed €1,000 in non-material damages under Article 82. Commentators call this pattern — hand over data, fire off an immediate request, claim damages on refusal — "GDPR hopping." The Court's answer was nuanced: yes, such a first request can be excessive, but only under strict conditions.
The two-part abuse test
The CJEU built its ruling on the general EU-law doctrine of abuse of rights, which requires two things together. There must be an objective element — a combination of circumstances in which, despite formal compliance with the rules, "the purpose of those rules has not been achieved" — and a subjective element — "the intention of the data subject to obtain an advantage from the EU rules by artificially creating the conditions" for it. Both must be present.
Critically, the Court framed Article 12(5) as an exception that "must be interpreted restrictively": a controller "may rely on such excessive character only exceptionally," and "there must be strict criteria for characterising a first request for access as 'excessive.'" It also addressed evidence directly. Publicly available information showing that a data subject has filed many access requests followed by compensation claims against various controllers may be taken into account to establish abusive intent — but only "provided that it is supported by other relevant material." A pattern alone does not carry the burden.
The ruling cuts both ways for merchants. On compensation, the Court confirmed (extending its earlier reasoning) that Article 82(1) gives a right to damages for infringement of the right of access itself, not only for unlawful processing. So ignoring a valid request is now its own compensable breach. But it also held that non-material damage — loss of control, uncertainty — cannot be claimed where the causal link is broken by the data subject's own conduct, i.e. where they submitted their data specifically to manufacture the conditions for a claim.
The evidence that convinced a court
What does a winning evidence bundle actually look like? On 1 July 2026, the German trial court that had referred the case (the Amtsgericht Arnsberg) applied Brillen Rottler on remand and found this particular request was abusive. According to reports from law firms A&O Shearman (16 July 2026) and Taylor Wessing (13 July 2026) — the primary decision text and docket number are not yet publicly available, so these facts rest on those two convergent secondary reports — the court relied on a documented bundle of indicators, not any single factor:
- the claimant volunteered more data than necessary;
- his interest in the newsletter was implausible (an Austrian resident signing up to a regionally limited German offering);
- the 13-day gap between subscription and the request;
- the request was sent by fax on full letterhead, disclosing yet more unnecessary data;
- there was no parallel complaint to a supervisory authority;
- he did not appear at an ordered oral hearing;
- publicly available information on his pattern of similar claims — accepted only because it was corroborated by the other concrete indicators;
- and inconsistent conduct: claiming his data was sensitive while voluntarily oversharing it.
The same reports note the court accepted the company's refusal letter as procedurally adequate: it was timely, adequately reasoned, and pointed the individual to the competent supervisory authority and the judicial remedy — without being required to list every possibly-competent DPA. The lesson is that abuse is proven by an accumulation of corroborating facts, and that how you refuse matters as much as whether you may.
The counterweight: campaigns are not automatically abuse
Before you treat Brillen Rottler as open season, read the case published a few weeks later. EDPB Binding Decision 1/2026 (under Article 65(1)(a) GDPR), adopted 28 May 2026 and published 14 July 2026, concerned a noyb complaint about the cookie banners of Belgian broadcaster VRT. The Belgian DPA, as lead authority, wanted to dismiss it as an abuse of the right to complain (Article 77) and the right to be represented (Article 80(1)); the Austrian DPA objected; the dispute went to the EDPB.
The EDPB found there was no abuse — "the objective and subjective components needed to prove such abuse were not demonstrated" — and ordered the Belgian DPA to assess the complaint on its merits. Two points make this decision essential reading for anyone drafting a refusal. First, the EDPB explicitly applied the Brillen Rottler two-part test by name, stressing that the abuse doctrine "has to be subject to a strict interpretation and meet the threshold set out in the CJEU case law, including in terms of burden of proof and evidential requirements." Second, it found the objective element absent even though it was obvious there had been "an organised process of drafting and filing of complaints" in which noyb "played a leading role," targeting controllers on "pre-defined criteria" using "automated means." A coordinated, campaign-style exercise of rights is not, by itself, abusive.
What distinguished the campaign from Brillen Rottler? The EDPB noted that neither the authority nor the controller had shown that "a compensation under Article 82 GDPR or any other financial benefit has been sought." The through-line across both cases is the same: refuse on evidence of a manufactured advantage, never on the fact that a request is coordinated, high-volume, or simply annoying.
How to Refuse a DSAR Without Getting It Wrong
If you conclude a request may be manifestly unfounded or excessive, work through a defensible process rather than reaching for refusal first:
- Confirm it is a valid request and identify the data. Verify identity proportionately and scope the data before deciding anything. Refusal is a last resort, not a triage tool for a busy queue.
- Assess each request on its own merits. The ICO is explicit that you must not operate a blanket policy, and you must not assume a request is unfounded merely because the person has made previous requests. Decide this request, on today's facts.
- Build the evidence bundle. Document the concrete indicators (as in the German case) and corroborate them. Treat publicly available "pattern" information as support only — the CJEU requires other relevant material alongside it.
- Choose the proportionate response. Article 12(5) offers a reasonable fee or refusal, and refusal can be partial. A fee or a narrowed response is often more defensible than a flat "no."
- Write a properly reasoned refusal letter. State the ground relied on, explain your reasoning, and inform the individual of their right to complain to the supervisory authority and to a judicial remedy — within the one-month deadline that still applies (see our guide to automating the DSAR workflow).
- Log everything. You carry the burden of proof, so your file must be able to justify the decision to the individual and, if asked, to a regulator.
Common Mistakes That Turn a Refusal Into a Liability
- Treating high volume as automatically excessive. The ICO states a request is "not necessarily excessive just because the person requests a large amount of information." Volume is a proportionality factor, not a ground.
- Assuming abuse from a person's history. EDPB Guidelines 01/2022 on the right of access (v2.0, adopted 28 March 2023) warn a controller "should not presume that a request is manifestly unfounded because the data subject has previously submitted requests" that were, or because the request "includes unobjective or improper language."
- Refusing because a request is hostile or campaign-driven. EDPB Decision 1/2026 confirms coordination and automation do not, alone, prove abuse.
- Leaning on "GDPR hopping" pattern data by itself. Brillen Rottler requires that publicly available pattern information be corroborated by other concrete indicators.
- Going silent. Ignoring a valid request is the most expensive mistake of all: after Brillen Rottler, a breach of the right of access is itself compensable under Article 82, regardless of whether the underlying processing was unlawful.
What About the UK?
The UK framework tracks the EU on this point. UK GDPR reproduces the manifestly-unfounded-or-excessive test, and the ICO's guidance (updated 8 December 2025) applies a "high threshold" backed by "clear evidence," assessed request by request. Brillen Rottler is a CJEU judgment and so is persuasive, not binding on UK courts and the ICO after Brexit — but the ICO's position already aligns with its restrictive thrust. UK merchants juggling parallel EU and UK obligations should also note the separate reforms to request-handling timelines under the Data (Use and Access) Act; we cover those in the DUAA "stop the clock" rules for eCommerce. For the wider picture of your obligations, see our complete guide to GDPR compliance in 2026.
How PrivacyForge Helps
A refusal is only as strong as the record behind it. PrivacyForge's data-subject-request workflow tracks each request against its statutory deadline, so an at-risk decision never slips into an accidental non-response — the one outcome Brillen Rottler makes clearly compensable. Because every step is audit-logged, the reasoning behind a "manifestly unfounded" or "excessive" determination, and the evidence bundle supporting it, live in one place you can hand to a supervisory authority if challenged. That is the difference between a defensible refusal and a hopeful one: not a bolder "no," but a documented one.
Frequently Asked Questions
Can you refuse a subject access request under GDPR?
Yes, but only on two grounds: the request is manifestly unfounded or excessive under Article 12(5) GDPR. You may then charge a reasonable fee or refuse entirely. The controller — not the requester — must prove that character with clear evidence, and the threshold is high.
Can a customer's first-ever access request be refused as excessive?
Yes. In Brillen Rottler (C-526/24, 19 March 2026) the CJEU held a first request can be excessive if the controller proves it was made with abusive intent — to manufacture a GDPR advantage such as a compensation claim, rather than to verify processing. But the exception "must be interpreted restrictively" and needs strict, corroborated evidence.
What makes a subject access request "manifestly unfounded"?
Per ICO guidance, a request is manifestly unfounded when the person clearly has no genuine intention to exercise the right — for example, offering to withdraw it for a benefit — or when it is malicious and used to harass with no real purpose beyond disruption. A hostile tone alone does not meet the bar.
Is a coordinated or campaign complaint automatically abusive?
No. EDPB Binding Decision 1/2026 found no abuse in an organised, automated complaint campaign led by noyb, because the objective and subjective components of abuse were not demonstrated and no financial benefit was sought. Coordination and volume, by themselves, do not prove abuse.
What happens if I wrongly refuse or ignore a DSAR?
You risk a compensation claim. Brillen Rottler confirmed that Article 82(1) covers damage from an infringement of the right of access itself, not only from unlawful processing. Ignoring a valid request is therefore its own compensable breach — one reason silence is riskier than a reasoned, documented refusal.
Conclusion
The 2026 case law hands eCommerce operators a genuine but narrow power: you can refuse even a first subject access request when you can prove, on corroborated evidence, that it was made to manufacture an advantage rather than to check how you handle personal data. What you cannot do is refuse because a request is large, repeated, coordinated, or irritating — and you cannot go silent, because non-response is now its own liability. Build the evidence, write the reasoned letter, log the decision, and refuse only exceptionally. Start your free PrivacyForge trial to run every access request through a deadline-tracked, audit-logged workflow that keeps your refusals defensible.
Sources
- CJEU press release No 38/26, Case C-526/24 Brillen Rottler
- Brillen Rottler (C-526/24) full judgment, 19 March 2026
- EDPB Binding Decision 1/2026 (VRT) — document page
- EDPB news release: Belgian DPA must handle the merits of the noyb cookie-banner complaint (14 July 2026)
- GDPR Article 12 (transparency and modalities)
- GDPR Article 57 (tasks of supervisory authorities)
- GDPR Recital 63 (right of access)
- ICO: When can we consider a SAR to be manifestly unfounded or excessive? (updated 8 December 2025)
- EDPB Guidelines 01/2022 on data subject rights — right of access (v2.0)
- BayLDA 15th Activity Report 2025 (PDF)
- A&O Shearman: Abusive DSARs after Brillen Rottler (JD Supra, 16 July 2026)
- Taylor Wessing: AG Arnsberg / Brillen Rottler (13 July 2026)