Earthquake or tumbleweed? Implications of the CJEU's Brillen Rottler decision for DSARs

In 2023, German-based family run optician Brillen Rottler claimed it was unknowingly targeted by an individual who "systematically and abusively" made requests for access to his personal data "for the sole purpose of obtaining compensation by alleging infringement of the EU General Data Protection Regulation." 

The optician said the individual, who is referred to as TC and appeared to have had no other connection with the company, sent a data subject access request within one month of registering for Brillen Rottler's newsletter through its website.

However, rather than comply with the DSAR, Brillen Rottler refused and declared the DSAR was manifestly unfounded or excessive, relying on Article 12(5) of the GDPR. In support of its view, Brillen Rottler pointed to publicly available reports, blogs and lawyers' newsletters highlighting TC's apparent modus operandi, which demonstrated no real purpose to exercise his rights. 

TC disputed this and requested compensation of 1,000 euros. 

Brillen Rottler submitted a claim to a German court seeking a declaration that TC's compensation claim was invalid. TC maintained his right to access under Article 15 of the GDPR was legitimate and continued to seek compensation. The local court referred several questions to the Court of Justice of the European Union.

What was the CJEU's view?

The CJEU published its decision 19 March. Core issues for consideration by the court included: whether making a single DSAR could be characterized as excessive, and therefore an abuse of rights; in coming to that view, could a controller rely on publicly available information about the requester; and what are the rules around eligibility for compensation.