CJEU Decision on the Limits of the Right of Access under the GDPR

This article examines the Decision not only from an outcome-based perspective but also through the CJEU's interpretative methodology and normative reasoning.

1. Nature of the Dispute: Legitimate Exercise vs. Instrumentalisation of Rights

In the case at hand, the data subject:

• Subscribed to a newsletter of a data controller,
• Shortly thereafter submitted an access request under Article 15 GDPR,
• Claimed compensation under Article 82 GDPR following the rejection of the request.

The data controller argued that the request was:

• Not aimed at exercising data protection rights,
• But part of a systematic strategy to generate compensation claims.

This led to a fundamental legal question: "Can a GDPR right still be protected when it is exercised for purposes unrelated to its normative function?"

2. Legal Framework Established by the Decision

In its judgment, the CJEU does not assess data subject rights under the GDPR in isolation, but rather within an interconnected legal framework. The Court adopts a holistic approach, particularly in examining the relationship between the right of access, the limitation of requests, and the compensation regime. The Decision provides a comprehensive interpretation under three main headings:

Limitation of Manifestly Unfounded or Excessive Requests

Under Article 12(5) GDPR, the exercise of data subject rights is, as a general rule, free of charge. However, where a request is "manifestly unfounded or excessive", the data controller may either charge a reasonable fee or refuse to act on the request.

The CJEU characterizes this provision as a balancing mechanism aimed at preventing the abuse of rights.

Function and Limits of the Right of Access

The "right of access" enables the data subject to:

• Obtain confirmation as to whether their personal data is being processed,
• Access such data where processing exists,
• Verify the lawfulness of the processing activities.

While the CJEU emphasizes the fundamental importance of this right, it introduces a critical qualification:

The right of access is not unlimited where it is exercised in a manner that deviates from its intended purpose.

Scope and Limit of Compensation

The "right to compensation" allows data subjects to claim compensation for material or non-material damage resulting from a GDPR infringement.

The CJEU clarifies that compensation may arise not only from unlawful data processing but also from violations of data subject rights, including the right of access. However, where the alleged damage results from the data subject's own conduct, no right to compensation arises.

In this respect, the Decision goes beyond the interpretation of a single provision and instead addresses the overall balance between rights and responsibilities under the GDPR framework.

3. The CJEU's Assessment of the Right of Access

The CJEU, in line with its established case law, clearly defines the function of the right of access under Article 15 GDPR as follows:

• To enable the data subject to be aware of processing activities and to verify their lawfulness.
• This right is not merely an informational tool. It also serves as a prerequisite for effective exercise of other data subject rights, such as rectification, erasure, and restriction of processing.

Accordingly, the right of access lies at the very core of the GDPR's transparency and accountability framework.

4. From a Procedural Exception to a System-Protecting Mechanism

One of the key contributions of the Decision lies in the reinterpretation of the function of Article 12(5) GDPR. At first glance, this provision appears to be merely procedural in nature, as it allows the data controller, under certain conditions, to refuse to act on a request.

However, the CJEU adopts a broader perspective. According to the Court, Article 12(5):

• Is not merely a tool to alleviate administrative burden,
• But also serves as a structural balancing mechanism aimed at preventing the abuse of rights within the GDPR framework.

This interpretation demonstrates that the GDPR is not only a regime that grants extensive rights to data subjects, but also one that requires these rights to be exercised in accordance with their intended purpose, in line with the principles of good faith and proportionality.

5. Abuse of Rights: How is an "Excessive Request" Determined?

One of the most notable aspects of the Decision lies in the Court's interpretation of the concept of an "excessive request".

According to the CJEU, this concept is not limited to repeated or numerous requests. Even a first access request may be considered excessive, provided that certain conditions are met.

In this context, the Court shifts the assessment from a purely quantitative approach to one based on purpose and context. The CJEU establishes a two-pronged test for identifying abuse of rights.

First, the objective element must be assessed. At this stage, it is examined whether the request serves the purpose of the right of access. The purpose of this right is to enable the data subject to obtain information about data processing and to verify its lawfulness. Requests that deviate from this purpose may be considered abusive, even if they formally comply with the GDPR.

Second, the subjective element is evaluated. This involves examining the actual intention of the data subject. Where the request is not aimed at obtaining information about processing, but rather at artificially creating grounds for compensation, it may constitute an abuse of rights.

The Court further emphasizes that this assessment must be conducted in light of all the circumstances of the case. In particular, the following factors may be relevant:

• The time interval between the provision of data and the request,
• The behavioural pattern of the data subject,
• The existence of similar requests directed at other data controllers.

Ultimately, even where a right is exercised in formal compliance with the GDPR, it may not be protected if its use deviates from the purpose that the Regulation seeks to safeguard.

6. Compensation Regime and Its Limits

The Decision also has significant implications for the right to compensation.

The CJEU acknowledges that not only unlawful data processing, but also violations of the right of access may give rise to a claim for compensation. In this respect, Article 82 GDPR is interpreted broadly. However, this broad interpretation does not amount to an unlimited right to compensation.

Three cumulative conditions must be satisfied in order to establish a right to compensation:

• An infringement of the GDPR,
• The existence of material or non-material damage,
• A causal link between the infringement and the damage.

The Court further introduces an important limitation: Where the damage results from the data subject's own conduct, the causal link is broken and the claim for compensation must be rejected.

This approach establishes a direct connection between the prohibition of abuse of rights and the compensation regime under the GDPR.

7. Assessment under Turkish Data Protection Law (KVKK)

The CJEU's Decision establishes an important balance within the GDPR framework. While the right of access is strongly protected, it may be restricted under Article 12(5) GDPR where it is systematically instrumentalised. In this context, Article 12(5) expressly allows data controllers to refuse requests that are "manifestly unfounded" or "excessive", and the CJEU interprets this provision in connection with the prohibition of abuse of rights.

From a Turkish law perspective, however, a different normative framework applies. Under the Turkish Personal Data Protection Law No. 6698 ("KVKK"), data subject rights are regulated under Article 11, while the application procedure is governed by Article 13. In addition, the Communiqué on the Principles and Procedures for Application to the Data Controller (In Turkish) provides that applications are, as a rule, free of charge, and that a fee may only be charged where the process entails additional costs.

That said, neither the KVKK nor the relevant Communiqué contains an explicit provision allowing data controllers to refuse requests on the grounds that they are "manifestly unfounded" or "excessive", as is the case under Article 12(5) GDPR. Therefore, data controllers in Türkiye do not benefit from an equally clear legal basis to reject requests solely on the grounds of alleged abuse.

In this respect, a more cautious approach is required in practice. Requests should be assessed on a case-by-case basis, and where appropriate, their scope may be limited with proper justification, ensuring that the process is managed in a careful and compliant manner.

8. Conclusion

The CJEU's judgment in Case C-526/24 does not narrow the scope of data subject rights under the GDPR; rather, it redefines the purpose-driven limits of their exercise. The Decision reaffirms that the right of access under Article 15 GDPR is a fundamental and indispensable right. However, it also makes clear that this right does not enjoy unlimited protection where it is exercised in a manner that deviates from the underlying objectives of the GDPR and becomes instrumentalised.

The Court's approach demonstrates that the GDPR is not merely a framework that confers rights, but also one that requires those rights to be exercised in a fair, proportionate, and system-consistent manner. In this context, Article 12(5) GDPR emerges as an exceptional yet significant balancing tool for data controllers, particularly in addressing systematic and compensation-driven requests.

At the same time, the Decision draws important boundaries in relation to the compensation regime. It clarifies that not every infringement automatically gives rise to compensation, and that the existence of damage and a causal link must be carefully assessed. In this respect, the ruling offers a balanced and system-protective response to the increasing trend of claim-driven data subject requests.

From a Turkish law perspective, the absence of an equivalent explicit provision requires data controllers to adopt a more cautious and nuanced approach. This highlights the structural differences between the GDPR and the KVKK, and underscores the importance of assessing each case on its own merits.

"Ultimately, the Decision crystallizes a fundamental principle of data protection law: Data subject rights are preserved; however, their protection is contingent upon their exercise in accordance with their intended purpose and in good faith."

This approach confirms that the GDPR is designed not only to safeguard individual rights, but also to preserve the integrity, coherence, and sustainability of the legal system as a whole.