How to deal with abusive requests for information

The topic of information requests/claims for information is currently occupying the German courts. Some courts have had to deal with very extensive requests for information based, among other things, on Article 15 of the GDPR. In the process, the realisation matured that some requests for information were made in abuse of rights. We present these legal opinions and tell you how you should (not) behave in such a case.

What information can be requested pursuant to Art. 15 GDPR?

According to Article 15 (1) sentence 1 of the GDPR, you can request a statement from the controller as to whether the controller is processing your personal data at all. If this is the case, you can request information about details, such as the origin of your personal data, any recipients, processing purposes and storage periods, in accordance with Art. 15 (1) sentence 2 DSGVO.

Is the right to information under Art. 15 GDPR limited?

In principle, your right to information is very broad. According to a decision of the Federal Supreme Court (BGH) of 15 June 2021, the term personal data includes all types of information of both an objective and subjective nature in the form of opinions or assessments. This also includes telephone, conversation and evaluation notes. Furthermore, all e-mail correspondence is covered.

However, the European legislator clarified in the first sentence of recital 63 to the GDPR that the right of access only serves the data subject to be aware of the processing of his or her personal data and to check its lawfulness. The information to be provided is thus explicitly linked to the purpose of data protection.

How did courts judge comprehensive requests for information?

  • The Regional Court of Wuppertal (LG Wuppertal, judgement of 19.07.2021, case no. 4 O 409/20) had to decide on a case in which the plaintiff requested comprehensive information on premium adjustments of his private health and long-term care insurance. On the basis of the information obtained, he wanted to examine payment claims against the insurer. According to the Wuppertal Regional Court, the claim for information under data protection law was in abuse of rights because the plaintiff did not pursue the goal of exercising further rights under the General Data Protection Regulation.
  • Similar to the legal dispute before the LG Wuppertal, the LG Krefeld (LG Krefeld, judgement of 06.10.2021, ref. no. 2 O 448/20) had to deal with a claim for information in connection with premium adjustments of a private health and long-term care insurance of the plaintiff. The Krefeld Regional Court dismissed the action on similar grounds as the Wuppertal Regional Court. The asserted claim for information was only intended to serve the purpose of asserting a possibly existing claim for payment against the insurer after reviewing the legality of the premium review. However, this would be an abuse of rights to assert the right to information under Article 15 of the GDPR.
  • Finally, the Higher Regional Court of Hamm (OLG Hamm, decision of 15.11.2021, ref. 20 U 269/21) had to decide in the context of appeal proceedings on a claim for information also in connection with premium increases of a health insurance tariff. According to the OLG Hamm, the claim for information was also in abuse of rights. In addition to recital 63 of the GDPR, the OLG Hamm referred to the provision in Art. 12 para. 5 sentence 2 of the GDPR. According to this provision, "excessive" requests for information may be refused. According to the OLG Hamm, an "excessive" request for information also means a request that is not essentially about the protection of personal data, but about other claims outside the GDPR.

What do I have to consider when requesting information?

  • First of all, you must take every request for information seriously and be aware of the one-month deadline pursuant to Article 12 (3) sentence 1 of the GDPR. Even if the request for information is an abuse of rights, you risk a fine if you do not respond to the request for information within the time limit.
  • You should seek legal assistance! Answering a "simple" request for information correctly can already be challenging. You will probably only succeed in answering a comprehensive request for information correctly with the support of a lawyer.
  • In any case, the data subject has the right of access to the information set out in Art. 15(1) of the GDPR. You will have to provide this information in almost all cases. If the request for information is for significantly more extensive or extended information, you could ask the data subject to explain for which rights under the GDPR he or she needs this extended information. If the data subject does not respond or does not specify his or her request for information, this could be an indication of abuse of rights.

 

We help you to react correctly to a request for information.

Conversely, we will also help you to assert a legitimate request for information and to demonstrate your need for information under data protection law to the satisfaction of the controller or a court.

 

Please feel free to contact us. We look forward to talking to you. Furthermore, we are available to you as advisors in the entire area of IT/IP and data protection law.

 

GoldbergUllrich Lawyers 2022

Julius Oberste-Dommes LL.M. (Information Law)

Lawyer and

Specialist lawyer for information technology law

Seal