The General Data Protection Regulation (GDPR) is an EU regulation that sets rules for the protection of personal data. A GDPR right of access under Article 15 GDPR gives a person the right to request information from a controller (e.g. a company) about whether personal data relating to them is being processed and, if so, to request access to this data. Often, letters are also requested that the claimant has already received.
For some time now, the courts have been divided on whether a right to information can also be used for purposes that are alien to data protection. In insurance law, it seems to have become fashionable to file a phased lawsuit in order to first obtain information about the basis for premium adjustments and then to challenge the premium adjustment in the next stage.
A multi-step lawsuit is a procedure in which a party can proceed in several steps within the framework of judicial proceedings in order to achieve a decision. This means that the party first presents a topic for decision. With the results – in this case, information – a performance application is then substantiated in the second stage, for example, the amount of a claim is quantified.
Recently, a few more rulings have been issued on the subject
The Higher Regional Court of Celle ruled on December 15, 2022 in favor of a right to information. A right to information can also be used for purposes unrelated to data protection, as long as the personal data is processed within the framework of the GDPR and the controller has no legal or contractual obligations that conflict with the information. Thus, there is no abuse of rights in this case. The court emphasizes:
"The plaintiff's motivation is also immaterial because the regulation does not make the right to information dependent on a specific objective of the claimant and, accordingly, the application for information does not have to be justified (see BGH, ECJ submission of March 29, 2022 - VI ZR 1352/20; OLG Cologne, judgment of May 13, 2022 - 20 U 198/21; juris Simitis/Hornung/Spiecker, DS-GVO mit BDSG, Art. 15 DS-GVO, para. 11; Schmidt-Wudy in: BeckOK Datenschutzrecht, as of: 01.08.2022; DS-GVO Art. 15, para. 85)."
The Higher Regional Court of Karlsruhe took a slightly different view in its judgment of November 29, 2022. However, it granted the right to information not on the basis of the GDPR, but rather from § 242 BGB. From this, a right to information of the policyholder follows regarding past premium adjustments and the documents provided to him for this purpose, insofar as the corresponding addenda and documents are no longer available to him. A further claim to information about the content of the enclosures to the premium adjustments (reasons and information sheets) that are known to him and available to him does not follow from the GDPR (even). It can be seen from the reasons that the Higher Regional Court of Karlsruhe quickly assumes an abusive legal action in the case of documents that are already available:
"In any case, Art. 12 para. 5 b) GDPR precludes a claim for information. According to this, the controller may refuse to act on the basis of the data subject's application in the case of obviously unfounded or excessive applications, in particular to provide information and copies in accordance with Art. 15 para. 1 and 3 GDPR. An excessive application presupposes abusive behavior on the part of the applicant (Bäcker in Kühling/Buchner, DSGVO, 3rd ed. Art. 12 Rn. 37). These include, for example, requests that have the sole purpose of harassing the controller (Heckmann/Paschke in Ehmann/Selmayer, DSGVO, 2nd ed. Art. 12 para. 43; Bäcker loc. cit.).
This is the case here. The defendant is right to refuse to provide the requested information regarding the information sheets. The request for information is to be considered an abuse of rights, since it is obviously based on neither data protection nor any other legitimate objective. According to his own statement, the plaintiff has the opposing party's letters of reasoning, so that he does not need them for the purpose he is pursuing with his lawsuit – to review the legality of the premium adjustments. In doing so, the Senate does not fail to recognize that the knowledge of the plaintiff of the documents to which the asserted claim relates, taken in isolation, does not preclude the data protection right to information, since this is intended to enable the data subject to verify the lawfulness of the data processing, for example, to check the accuracy of the datacheck the accuracy of the data) (BGH, judgment of June 15, 2021, loc. cit., para. 25, with further references). However, the plaintiff is not pursuing such a data protection objective with his request for information. In particular, his request is not directed at information as to whether the defendant is currently processing, in particular storing, the information contained in the letters known to him (see BGH loc. cit.); rather, his request is solely to obtain information about the content of these letters already in his possession."
The Higher Regional Court of Karlsruhe is thus in line with the Federal Administrative Court, which, in its judgment of November 30, 2022, affirmed a claim for a free first copy of documents containing personal data of the data subject.
Waiting for the ECJ probably in vain
In its decision of March 29, 2022, the Federal Court of Justice had already submitted questions to the European Court of Justice regarding the right to information when the information is requested for purposes that have no data protection background. The core question of the Federal Court of Justice was:
Is Article 15 (3) sentence 1 in conjunction with Article 12 (5) of the GDPR to be interpreted as meaning that the controller (here: the treating physician) is not obliged to provide the data subject (here: the patient) with an initial copy of his personal data processed by the controller free of charge, if the data subject does not request the copy for the purposes of becoming aware of the processing of his personal data and to be able to check its lawfulness, as stated in the first sentence of recital 63 of the DS-GVO, but for another - non-data protection, but legitimate - purpose (here: the examination of the existence of medical malpractice claims)?
To date, however, no such procedure can be found in the ECJ's case law database, so that a decision by the ECJ was apparently prevented by one of the parties to the legal dispute at the Federal Court of Justice. For example, the defendant could have admitted the claims, in which case the question would no longer have been relevant.
The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.