Out-Law Analysis 2 min. read

German court rules on the right to access under the GDPR

Germany’s Supreme Court has specified the scope of the right to access under Article 15 of the GDPR, but has left important questions unanswered.

The German Court of Justice (Bundesgerichtshof/BGH) has ruled on the content and scope of the right to access your own personal data under Article 15 of the General Data Protection Regulation (GDPR).

The claim was made by the owner of a life insurance policy who received what he said was incomplete information from his insurance company. He said that his request for his personal data included all data stored and processed by the insurance company relating to him, including internal and external correspondence, internal telephone and conversation notes and other internal notes, but also internal assessments of his insurance claims. 

In 2019 the Regional Court of Cologne had denied such a far-reaching right, saying that the right to access under Article 15 of the GDPR does not include all internal documents of an insurance company such as notes or all internal correspondence, nor does it include past correspondence between the parties or information concerning commissions for the insurance brokers.

The Federal Court of Justice has rejected the Regional Court’s approach and confirmed that the right to access under Article 15 of the GDPR is in principle comprehensive, as it refers to all stored or processed data that can be linked to the person. This means that it includes internal documents and correspondence with or about this person.    

Limits of the right to access?

But the BGH ruling does mention limits to the right to access, such as those contained in exceptions to the GDPR and also Germany’s Data Protection Act (BDSG). The BGH did not examine these options as the parties had not submitted anything in this regard. But as the policyholder also requested information on the insurance company's internal assessments of his insurance claims asserted, the court stated that, according to the case law of the Court of Justice of the European Union (CJEU), legal analyses may contain personal data, but the result of such analyses is not personal data in itself. According to the criteria developed by the CJEU, data on bonus payments to third parties also had no relation to the person of the policyholder.

Apparently the BGH did not want to order the insurance company to hand over data  that might reveal that it considers the policyholder's claims to be well-founded or which would give away information on the remuneration of insurance brokers. In this respect, the BGH refers to the case law of the CJEU, which is the highest authority regarding the interpretation of the GDPR. Another approach could be to regard the result of the legal assessment and the amount of commissions as confidential information – especially as information on the commission also affects the data protection rights of the individual who received it.          

The BGH also said that the right to access within the meaning of section 362(1) of the German Civil Code (BGB) is generally fulfilled if the party providing information says that the information is complete or if this can be interpreted from his words. In this case, according to the BGH, the suspicion that the information provided is incorrect or incomplete cannot justify a claim to access information to a further extent. Whether a person entitled to access information can - in cases of justified doubt - still demand further information or an oath that the information provided is complete, remains open. It also remains open under which circumstances and to what extent the organisation holding the information can demand that the person requesting it specify which information they want. In this respect, Germany’s highest labour court recently ruled that it was necessary to be specific in the request.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.