Requests for information / claims for information under Art. 15 GDPR are one of the unpleasant kinds of mail for companies. For many companies, these requests are annoying at best. For some companies, however, they are problematic because they have not or not sufficiently implemented the requirements of the GDPR. In these cases, information to be disclosed can quickly be overlooked. Emails and email addresses are part of this, as the AG Dortmund(decision of 20.05.2021, ref. 404 C 1526/21) has ruled.
What information was missing from the information provided?
The plaintiff has asserted a claim for information out of court. The defendant also fulfilled this claim for information for the most part. However, the defendant did not submit the complete email correspondence with the plaintiff, nor did it provide the plaintiff's email address. It was undisputed that the parties had communicated via a certain email address of the plaintiff.
The plaintiff brought an action for disclosure. In the course of the proceedings, the defendant then submitted the email correspondence including the email address. This ended the legal dispute on the merits. Nevertheless, the defendant had to bear the costs of the litigation. The defendant would have been condemned because the information provided out of court was incomplete. In this case, the defendant would also have had to bear the costs of the legal dispute.
What information must be provided within the scope of the disclosure pursuant to Art. 15 of the GDPR?
According to Article 15 (1) sentence 1 of the GDPR, the controller must first check whether personal data of the data subject are being processed at all. If this is the case, the controller must provide the data subject with various information pursuant to Art. 15(1)(2)(a) to (h) of the GDPR and provide a copy of the personal data processed by the controller pursuant to Art. 15(3)(1) of the GDPR.
The subject of the claim shall be all data relating to the data subject which are held by the controller at the time the information is provided. The data shall be provided in the form in which it is available to the data controller. The copy of the data must be complete. In particular, it must also cover personal data that the data subject has already received, such as previous e-mail correspondence between the data controller and the data subject.
What do I have to consider when requesting information?
You should note the following in the event of a request for information:
- If in doubt, get help immediately from a lawyer specialising in data protection law. Violations of the obligation to provide information can result in heavy fines.
- Ideally, keep to a deadline set by the data subject for providing the information. According to Art. 12 Para. 3 S. 1 Alt. 2 of the GDPR, you must provide the information no later than one month after receipt of the request for information. If you fail to meet this deadline, you may be fined under Article 83 (5) (b) of the GDPR.
- Check your entire data inventory for personal data of the data subject. Your processing directories according to Art. 30 GDPR will help you with this.
- Attention, pitfall: You may only provide information to the data subject. If you have reasonable doubt about the identity of the data subject after the request for information, you may request additional information necessary to confirm the identity of the data subject under Art. 12(6) GDPR. However, you may not carry out the identity check without reason and in every case. Otherwise, the supervisory authority could accuse you of evading the information by conducting an unfounded identity check.
It is best not to act alone when requesting information, but to seek legal support. We will be happy to examine a request for information for you and recommend the appropriate course of action.
We are happy to provide advice in the entire area of IT law and data protection law.
GoldbergUllrich Lawyers 2021
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and
Specialist lawyer for information technology law
