Data protection law protects individuals – but not every individual who invokes data protection law. The ECJ has made it clear: anyone who does not use the right of access to monitor their own data, but instead deliberately uses it as a lever to pursue claims for damages, forfeits that protection. 

CJEU JUDGMENT (Brillen Rottler) C-526/24 OF 19 MARCH 2026 

Facts of the case 

In March 2023, TC subscribed to the newsletter of a German optician (Brillen Rottler). Just 13 days later, he submitted a request for access under Article 15 of the GDPR. The company refused to provide the information, citing publicly available information purportedly demonstrating a systematic approach on the part of TC: signing up for services -> request for information -> claim for damages. TC brought an action seeking payment of at least EUR 1,000 in compensation. 

Key Holdings 

• Even a first request for information may be deemed “excessive”: Article 12(5) GDPR permits refusal not only in the case of repeated requests, but also in respect of a single initial request, provided that an abusive intent can be established. What matters is not the frequency of requests, but the intent of the applicant.  

• Burden of proof lies with the controller: If the company wishes to reject a request for information on the grounds that it is abusive, it bears the full burden of proof – and this is a two-stage process. First, it must objectively demonstrate that, despite being formally correct, the request does not serve the actual purpose of the right to information, namely the monitoring and verification of its own data processing. It must then subjectively prove that the applicant intended from the outset to artificially create the conditions for a claim for damages. 

• Public sources as evidence: The company may use publicly available information (e.g. media reports, blog posts about known ‘data protection trolls’) to support its case, provided such information is corroborated by further evidence.   

• Compensation even without unlawful data processing: Article 82(1) of the GDPR grants a right to compensation not only in the event of unlawful data processing, but also in the event of a mere breach of the right of access under Article 15 of the GDPR. The infringement of procedural rights in itself gives rise to liability. 

• Non-material damage – not automatic: The loss of control over data or uncertainty regarding its processing may constitute non-material damage. However, compensation is not payable if the causal link is broken by the data subject’s own conduct – in particular, if they have deliberately provoked the breachin order to generate a claim.   

SCOPE OF THE RIGHT OF ACCESS (Art. 15 GDPR) – WHAT IS COVERED, WHAT IS NOT? 

Covered by the right of access (Art. 15 GDPR) 

• The right to know whether personal data is being processed at all.   

• Where data is being processed: information regarding the data itself, the purposes of processing, categories of data, recipients, retention period, the origin of the data, and any automated decision-making. 

• The right to exercise access free of charge and, as a rule, within one month. 

• Compensation for non-material damage resulting from the infringement of the right of access (including loss of control and uncertainty regarding processing) 

Not covered by the right of access or not worthy of protection 

• Requests for information that do not serve the purpose of monitoring one’s own data processing, but are made abusively to obtain compensation. 

• Compensation where the data subject has caused the damage (e.g. loss of control) through their own abusive conduct – the causal link is broken.   

• Compensation without proof of actual damage incurred – no automatic entitlement arising from the mere infringement. 

CONSEQUENCES FOR SWITZERLAND AND ITS JUDICIAL PRACTICE 

Relevance for Switzerland 

Although the GDPR does not apply directly in Switzerland, the revised Data Protection Act (FADP, in force since 1 September 2023) is closely aligned with European requirements. Swiss courts regularly refer to the GDPR and ECJ case law as an aid to interpretation for the EU-compatible application of the FADP.   

Strengthening of the prohibition of abuse of rights (Art. 2 of the Swiss Civil Code) 

The judgment confirms and reinforces the application of Art. 2(2) of the Swiss Civil Code (“The manifest abuse of a right shall not be protected by law”) in data protection law. Swiss courts are likely to adopt the logic of the ECJ: it is not the number of requests, but the improper intention that is decisive.  

Art. 26(1)(c) FADP permits the refusal of access in the case of ‘manifestly vexatious’ requests or those with a purpose contrary to data protection. The ECJ judgment provides valuable criteria for the practical application of this provision. 

Key difference: Higher threshold for compensation (Art. 32(3) FADP) 

Whilst the ECJ recognises the loss of control as a potentially compensable non-pecuniary loss, Art. 32(3) FADP requires a serious infringement of personal rights for a claim for compensation. The mere refusal to provide information or the associated uncertainty is unlikely to meet this threshold in Switzerland in most cases. 

This represents a significantly higher hurdle for ‘data protection trolls’ in Switzerland than under EU law and is likely to render the business model of systematic requests for information for the purpose of obtaining damages largely unattractive in Switzerland. 

Consistency regarding the causal link   

The ECJ’s comments on the interruption of the causal link by the conduct of the person concerned are fully consistent with the principles of Swiss tort law (contributory negligence). Anyone who deliberately provokes a breach forfeits their claim.   

CONSEQUENCES FOR BUSINESSES 

The judgment is not a free pass to reject requests for information across the board – the burden of proof for misuse lies entirely with the company. Incorrect or delayed information opens the door to claims for damages – regardless of whether the request was made in good faith or abusively.    

For Swiss companies, there is the additional factor that the revised FADP has imposed comparable disclosure obligations since September 2023. Whilst the threshold for claims for compensation is higher than under EU law, this does not relieve companies of the obligation to provide timely and complete information. 

In practical terms, it is therefore advisable to streamline information processes and assign responsibilities clearly within the organisation, to formulate responses in a comprehensible manner rather than simply providing raw data, and to structure data management in such a way that information can be provided quickly and in full. 

CONCLUSION 

With its ruling, the ECJ has drawn an important line against the abuse of the right of access under data protection law: anyone who requests information under Article 15 of the GDPR not to monitor their own data processing, but specifically to construct claims for damages, is acting abusively – and forfeits both the right to access and the right to compensation. ForSwitzerland, the ruling confirms the application of the prohibition of abuse of rights (Art. 2 of the Swiss Civil Code) in data protection law. At the same time, the Swiss Data Protection Act (FADP) sets the bar even higher than EU law by requiring a serious infringement of personal rights for claims for compensation, which makes the business model of “data protection trolls” unattractive.