Skip to main content

Right of access pursuant to Art. 15 GDPR – News from Germany

|

Germany’s Federal Court of Justice decided on the scope of data subject’s rights under Art. 15 GDPR - and set certain limits. However, important questions have been left unanswered.

The right of access was claimed by the owner of a life insurance policy who received what he believed was incomplete information from his insurance company. He took the view that his right of access to his personal data under Art. 15 GDPR included all data stored and processed by the insurance company relating to him, including internal and external correspondence, internal telephone and conversation notes and other internal notes, but also internal assessments of his insurance claims which were in dispute as well.

The court of the previous instance, the Regional Court of Cologne, denied such a far-reaching right, saying that the right to access does not include all internal documents of an insurance company such as internal notes or all internal correspondence, and that it also does not include past correspondence between the parties or information concerning commissions for insurance brokers.

The BGH, however, rejected the Regional Court’s approach and confirmed that the right to access under Art. 15 GDPR is in principle comprehensive, as it refers to all stored or processed data that can be linked to the data subject, including internal documents and correspondence with or about this data subject.    

 

Are there any limits?

Nevertheless, the BGH ruling mentions limits to the right of access. First of all, the BGH referred to those contained in exceptions to the GDPR and Germany’s Data Protection Act (BDSG) but it did not examine these options as the parties had not presented any arguments in this regard. In addition (and interestingly), however, the BGH referred to case law of the Court of Justice of the European Union (CJEU).

The policyholder also requested information on the insurance company's internal assessments of his insurance claims asserted. The BGH stated that, according to case law of the CJEU, legal analyses may contain personal data, but the result of such analyses is not personal data in itself. Furthermore, the BGH said that according to the criteria developed by the CJEU, data on commissions paid to insurance brokers also had no relation to the person of the policyholder.

Apparently the BGH did not want to order the insurance company to hand over data  that might reveal that it considered the policyholder's claims to be well-founded or which would give away information on the remuneration of insurance brokers.    

The BGH also said that the right of access is generally fulfilled if the party providing information explicitly or by implication says that the information provided is complete. In this case, according to the BGH, the suspicion that the information provided is incorrect or incomplete cannot justify a claim to access information to a further extent. Whether a data subject is in a position - in cases of justified doubt - to still demand further information or an oath that the information provided is complete, remains open. It also remains open under which circumstances and to what extent the organisation holding the information can demand that the data subject specifies which information they want. In contrast, Germany’s Federal Labour Court recently ruled that it was necessary to be specific in the request.

 

Article provided by: Kirsten Wolgast (Pinsent Masons, Germany)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}