The Right of Access Is Not Absolute: What the Brillen Rottler Judgment Changes for DSAR Teams

The CJEU’s decision of 19 March 2026 does not reduce the right of access. It does, however, remind organizations that a GDPR access request can, in certain cases, be abusive and that teams must be able to demonstrate this properly.

Introduction

On 19 March 2026, the Court of Justice of the European Union delivered a judgment that matters for any organization handling personal data access requests. In Brillen Rottler (C-526/24), the Court clarified that a request made under Article 15 GDPR may, in certain circumstances, be considered excessive, even where it is the first request submitted.

Put differently, the right of access remains a core right, but it is not entirely disconnected from its purpose. Where a request is made not to understand the processing or verify its lawfulness, but in an abusive manner, the GDPR does not necessarily require it to be handled like a standard request.

For DSAR teams, the practical value of this judgment is significant. It does not create a comfortable “right to refuse.” Instead, it reinforces a need for method: qualify the context, document the indicators, trace the decisions, and distinguish ordinary cases from sensitive ones.

What does DSAR mean?

DSAR stands for Data Subject Access Request. In practice, it refers to a person’s right to obtain confirmation as to whether an organization processes their personal data, access to that data, and information about the processing, particularly under Article 15 GDPR.

In operational reality, handling a DSAR is rarely just a matter of running an extraction. It often involves finding data across multiple systems, reviewing emails, attachments, HR documents, or other unstructured content, while also protecting third-party rights and maintaining a defensible decision-making logic.

What the Brillen Rottler judgment actually says

The case concerned a person who subscribed to a newsletter and then, thirteen days later, exercised a right of access request. The company argued that this was part of a broader strategy: artificially creating a non-compliance scenario in order to claim compensation afterwards.

The CJEU did not say that a controller may freely reject any request it sees as opportunistic. It said something more precise: Article 12(5) GDPR may apply even to a first request where that request is excessive in light of the circumstances.

That is the key point of the ruling. Many readers had mainly associated the idea of an excessive request with repeated requests. The Court clarified here that repetition is only one example, not a necessary condition. A single request may already be excessive.

But the threshold remains high. The controller must demonstrate, on the basis of a body of indicators, that the request was not made so that the data subject could become aware of the processing and verify its lawfulness — the normal purpose recalled by recital 63 and linked to Article 15 GDPR.

Why this decision really matters for DSAR teams

The main contribution of the judgment is not theoretical. It is organizational.

In many companies, teams still handle access requests using a binary logic: either the request appears formally valid and the process must be launched in full, or the issue is obviously problematic. In reality, difficult cases usually sit in between those two extremes.

What Brillen Rottler shows is that organizations must be able to read the context. Depending on the case, this means being able to:

  • identify the link between the initial collection of the data and the request,
  • assess the timing between that collection and the exercise of the right,
  • detect possible indicators of a repeated strategy,
  • understand whether the request is genuinely aimed at reviewing the processing or pursuing another objective.

In other words, the robustness of a DSAR process is not measured only by its ability to find the data. It is also measured by its ability to qualify ambiguous cases without improvisation.

That matters because a poorly justified refusal remains risky. But responding without analysis in a sensitive case may be risky too. Between those two outcomes, organizations need a process that can surface the right signals and document the resulting decisions.

The practical impact for Pinda

This is exactly where the judgment intersects with the problems Pinda is designed to address.

In a simple case, an organization can often respond using relatively standard methods. But as soon as a DSAR involves unstructured content, internal documents, third-party data, or a contentious context, the challenge changes in nature. The issue is no longer just retrieving data. It becomes a matter of sorting, qualifying, reviewing, and preserving traceability.

The 19 March 2026 judgment therefore increases the value of a DSAR workflow that can:

  • centralize the relevant sources,
  • make useful contextual indicators visible,
  • distinguish standard cases from those requiring legal escalation,
  • preserve an auditable trail of the decisions taken,
  • help teams properly handle requests involving large volumes of emails and documents.

The impact for Pinda is not about “refusing more requests.” That would be too narrow a reading of the judgment. The real impact is about better case qualification. If a request should be processed normally, the organization must be able to do so efficiently. If it raises a serious concern, the organization must be able to identify that early, document the context, and support a legally defensible decision.

This is exactly the kind of work where a solution focused on DSARs, document review, and third-party protection becomes more useful than a simple collection workflow.

Conclusion

The Brillen Rottler judgment reminds us that the right of access under Article 15 GDPR is a fundamental right, but it cannot be detached from its purpose to the point of covering abusive strategies. In some circumstances, even a first request may be considered excessive.

For organizations, the lesson is not to take a mechanically tougher stance. The real lesson is to professionalize DSAR handling: qualify better, document better, trace better, and separate standard cases from sensitive ones more effectively.

In that logic, Pinda provides a concrete answer: helping legal, HR, and IT teams handle access requests with more visibility, more control, and a stronger ability to defend the judgments made under Article 15 GDPR.

Ready to manage your DSAR with no friction?

Your first DSAR is completely on us. No commitment, no credit card, no strings attached. Experience how Pinda transforms weeks of manual work into minutes.

Get started for free