Monthly Update – March 2026
March brought three significant privacy developments worth knowing about. Here is a quick breakdown of what happened, and what it could mean for your business.
⚖️ CJEU: Can you refuse a data access request? Sometimes yes, if it looks like a setup
What happened:
On 19 March, the Court of Justice of the EU issued a judgment in the Brillen Rottler case (C-526/24). Here is the story:
An individual signed up for the newsletter of a small German optician. Thirteen days later, before receiving a single newsletter, they submitted a data subject access request (DSAR) asking for all personal data the company held on them. The company refused, pointing to publicly available evidence showing this person had done the exact same thing with multiple companies, then claimed compensation when the DSAR was refused. The individual responded by demanding at least €1,000 in damages.
The case ended up before the CJEU, which had to answer: can a first-ever DSAR be refused as excessive?
The short answer is yes, but only under specific conditions. Under Article 12(5) of the GDPR, controllers can refuse requests that are manifestly unfounded or excessive. The Court confirmed that:
This is not limited to repeat requests. Even a first request can be refused as excessive.
The key question is intent. If a request is not made to understand how data is being processed, but solely to manufacture a compensation claim, it can be abusive.
On compensation: if the data subject's own conduct is the reason the damage occurred, the causal link needed to claim damages is broken.
Important caveat: the bar remains high. You cannot simply label an inconvenient DSAR as abusive and move on. You need documented, objective evidence of abusive intent, not just a gut feeling.
What this means for you:
If you receive a DSAR that looks suspicious, for example from someone who signed up very recently or where there is a known pattern of serial claims, you may have more room to push back than before. Document everything.
Do not use this judgment as a reason to refuse legitimate DSARs. The default rule still stands: comply within one month. The excessive exception is narrow.
If you do want to refuse a DSAR, make sure you can point to concrete, documented evidence rather than suspicion alone.
Have you been on the receiving end of suspicious access requests? We are happy to help you think through your options.
👀 Regulators are about to scrutinise your privacy notice: a reminder
What happened:
On 19 March, the EDPB officially launched its 2026 Coordinated Enforcement Framework (CEF) action. Each year, the EDPB picks one GDPR topic and coordinates 25+ national data protection authorities across Europe to examine it simultaneously. This year's topic: transparency and information obligations, meaning whether companies are properly telling people what happens to their data.
Authorities can contact companies proactively through questionnaires, document requests, or even on-site visits. They do not wait for a complaint to come in.
We first flagged this in our October 2025 newsletter when the EDPB announced the topic. For context, you can also read how the 2025 enforcement sweep on the right of access played out in our February 2026 update. Now that the action has officially launched, it is worth a concrete reminder of what regulators are looking for.
What this means for you:
Your privacy notice is about to get more scrutiny. Regulators are increasingly looking for:
Plain language: not just technically correct, but actually readable.
Named recipients: vague references to "trusted partners" are getting flagged. Some authorities now expect actual company names.
Transfer information: if personal data leaves the EU, your notice should explain where, why, and what safeguard applies.
Up-to-date content: if you have added new vendors or tools since your last privacy notice update, that needs to be reflected.
If your privacy notice has not been reviewed in a while, now is a good time. A short review today is significantly less painful than a formal request from your national DPA in six months.
📦 TikTok fined €530M: a reminder that data transfers are not just a US story
What happened:
Ireland's Data Protection Commission (DPC) issued a €530 million fine against TikTok for transferring European users' personal data to China without adequate safeguards under the GDPR.
The investigation had been running since 2021, focusing on two things: whether Chinese authorities could access EU user data under Chinese national security laws, and whether TikTok was transparent about this with its users.
During the investigation, TikTok told regulators that EU data was not stored on Chinese servers. It later had to correct this, disclosing that some data had in fact ended up there. The DPC ordered TikTok to bring its transfers into compliance within six months. If it does not, transfers to China must be suspended. TikTok is appealing.
What this means for you:
A few things worth keeping in mind, regardless of your company's size:
The US is not the only third country that matters. If you use vendors or tools that store or send data to countries without an EU adequacy decision, you need adequate safeguards in place and your documentation needs to reflect them.
Transfer compliance is not just about having a contract. You also need to assess whether the safeguard actually works in practice. In TikTok's case, Chinese law could override any contractual protection.
Transparency counts here too. A significant part of the fine related to TikTok not properly informing users that their data could end up in China. This ties directly back to this month's EDPB enforcement focus: check your privacy notices.
Accuracy in regulatory investigations is non-negotiable. Providing incorrect information to a DPA during an investigation is a serious aggravating factor.
That's a wrap!
Three very different developments, one common thread: GDPR is being enforced more actively, more consistently, and across more topics than ever. Privacy notices, data access requests, and international transfers are all firmly in scope.
As always, if any of this raised questions about your own situation, we are happy to help you figure out where to start. Book a free introduction call or simply get in touch.
See you next month, The Privacy Power Team