Summary

The Court of Justice of the European Union (CJEU) ruled on March 19, 2026, in Case C-526/24 that a single Data Subject Access Request (DSAR) under Article 15 of the GDPR can be refused if deemed 'excessive'. This decision provides clarity on the conditions under which a DSAR may be considered abusive.

Key Points

• The ruling was issued by the CJEU on March 19, 2026.
• The case in question is Case C-526/24, involving Brillen Rottler.
• The judgment pertains to Article 15 of the General Data Protection Regulation (GDPR).
• A data subject's initial request for access to personal data can be refused if it is considered 'excessive'.

Analysis

This ruling is significant as it sets a precedent for how DSARs can be managed under GDPR, potentially reducing the burden on organizations facing numerous or complex requests. It provides a legal basis for refusing requests that are deemed excessive, which could impact how data controllers handle compliance with GDPR.

Conclusion

IT professionals should review their organization's DSAR handling procedures to ensure they align with this new legal precedent. Understanding when a request can be considered excessive will be crucial for compliance and operational efficiency.