The issue of data subject access requests (DSARs) and information claims is currently a significant concern for German courts. Several courts have recently addressed extensive information requests, many of which were based on Article 15 GDPR. It has become apparent that some of these access requests were made abusively. We will present these legal perspectives and advise you on how to proceed (or not to proceed) in such situations.
What information can be requested pursuant to Article 15 GDPR?
Pursuant to Article 15 (1) sentence 1 GDPR, you can demand a statement from the data controller confirming whether they process your personal data. If processing occurs, Article 15 (1) sentence 2 GDPR allows you to request detailed information, including, for example, the origin of your personal data, any recipients, processing purposes, and storage periods.
Is the right of access under Article 15 GDPR subject to limitations?
Fundamentally, your right of access is very broad. According to a Federal Court of Justice (BGH) decision from June 15, 2021, the concept of personal data includes all types of information, both objective and subjective in nature, such as statements or assessments. This extends to telephone, conversation, and evaluation notes. Moreover, all email correspondence is covered.
However, the European legislator clarified in the first sentence of Recital 63 of the GDPR that the right of access serves solely to enable the data subject to be aware of the processing of their personal data and to verify its lawfulness. Consequently, the information provided is explicitly bound by the purpose of data protection.
How have courts evaluated comprehensive data subject access requests?
- The Regional Court of Wuppertal (LG Wuppertal, judgment of July 19, 2021, file no. 4 O 409/20) adjudicated a case where the plaintiff sought extensive information concerning premium adjustments to his private health and long-term care insurance. His intention was to use the anticipated information to assess potential payment claims against the insurer. The Regional Court of Wuppertal determined that the data protection access request was abusive because the plaintiff's objective was not to exercise further rights under the General Data Protection Regulation.
- Similar to the legal dispute before the Regional Court of Wuppertal, the Regional Court of Krefeld (LG Krefeld, judgment of October 6, 2021, file no. 2 O 448/20) addressed an access request concerning premium adjustments to the plaintiff's private health and long-term care insurance. The Regional Court of Krefeld dismissed the claim with reasoning analogous to that of the Regional Court of Wuppertal. The asserted right of access was intended solely to pursue a potential payment claim against the insurer after verifying the legality of the premium review. However, this would constitute an abusive exercise of the right of access under Article 15 GDPR.
- Finally, the Higher Regional Court of Hamm (OLG Hamm, decision of november 15, 2021, file no. 20 U 269/21), in an appeal proceeding, also ruled on an access request related to health insurance premium increases. The OLG Hamm likewise found the access request to be abusive. In addition to Recital 63 of the GDPR, the OLG Hamm referenced the provision in Article 12 (5) sentence 2 GDPR. According to this provision, "excessive" access requests may be refused. The OLG Hamm interprets an "excessive" access request to include those where the fundamental concern is not the protection of personal data, but rather other claims falling outside the scope of the GDPR.
What must be considered when handling a data subject access request?
- Firstly, you must take every data subject access request seriously in principle and strictly observe the one-month deadline stipulated in Article 12 (3) sentence 1 GDPR. Even if the access request is deemed abusive, you risk incurring a fine if you fail to respond within the prescribed timeframe.
- You should seek legal counsel! Even accurately responding to a "simple" data subject access request can be challenging. Successfully addressing a comprehensive access request will, in most cases, require legal support.
- In any event, the data subject retains the right to access the information stipulated in Article 15 (1) GDPR. You will be obliged to provide this information in nearly all circumstances. Should the access request seek significantly more extensive or additional information, the data subject could be asked to specify for which GDPR rights they require this expanded data. If the data subject fails to respond or to clarify their access request, this could indicate abusive conduct.
We assist you in responding appropriately to a data subject access request.
Conversely, we also assist you in asserting a legitimate request for information and substantiating your data protection-related need for information to the satisfaction of the controller or a court.
Please feel free to contact us. We look forward to speaking with you. Furthermore, we are at your disposal as consultants across the entire spectrum of IT/IP and data protection law.
GoldbergUllrich Attorneys-at-Law 2022
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
