BGH - VI ZR 576/19
From GDPRhub
| BGH - VI ZR 576/19 | |
|---|---|
 | |
| Court: | BGH (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 15(1) GDPR Article 15(3) GDPR Article 4(1) GDPR Article 99(2) GDPR § 362(1) BGB § 260 BGB § 253(2)(2) ZPO § 256(2) ZPO § 543(1)(1) ZPO § 552(1) Sentence 2 ZPO § 561 ZPO § 562(1) ZPO § 563(1) Sentence 1 ZPO § 12(5) Sentence 2 BDSG § 15(4) BDSG § 23(1) BDSG |
| Decided: | 15.06.2021 |
| Published: | 08.07.2021 |
| Parties: | |
| National Case Number/Name: | VI ZR 576/19 |
| European Case Law Identifier: | ECLI:DE:BGH:2021:150621UVIZR576.19.0 |
| Appeal from: | LG Köln (Germany) 26 S 13/18 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Entscheidungsdatenbank des Bundesgerichtshofs (in German) |
| Initial Contributor: | n/a |
The German Federal Supreme Court specified the scope and requirements for the fulfilment of a right of access. Among other things, a right of access is not limited to "essential biographical information" and also extends to data in "internal processes".
English Summary
Facts
The controller is a life insurance company with which the data subject is insured. Even before the introduction of the GDPR, the data subject asserted a claim for information pursuant to § 34 of the old version of the German Data Protection Act (BDSG). The controller provided some information. However, the data subject was of the opinion that the information provided was incomplete.
The claim subsequently asserted in court was dismissed at first instance.
In the second instance, the data subject based his request for information on Article 15 GDPR, which has since entered into force. The data subject requested information on all personal data actually held by the defendant, which were subsequently specified in more detail.
The court of second instance rejected the right to information, arguing that the claim had already been fully satisfied. The data subject had not specifically shown that the information already provided by the controller was incomplete and what further information he was demanding. Furthermore, the requested items were not subject to the right of access.
The data subject appealed this decision to the Federal Supreme Court (Bundesgerichtshof, BGH).
Holding
The appeal against the denied right of access was successful. The data subject was entitled to information to the extent claimed. The claim was not fulfilled by the controller and insofar still existed to the extent asserted. The BGH refrained from a preliminary ruling since the interpretation of the law is clearly defined by the CJEU ("acte clair").
Requirements for the Fulfillment of a Right of Access
The court first explains under which conditions a right of access is fulfilled.
This is the case if, according to the controller's declared intention, the information constitutes the information owed in its entirety. If the information is provided in this form, any inaccuracy in its content does not prevent performance. The suspicion that the information provided was incomplete or incorrect could not justify a claim to information to a greater extent. Essential for the fulfillment of the right of access was therefore the - possibly implied - declaration by the controller that the information was complete.
The controller must declare that the information provided is identifiably intended to fully meet the data subject's access request. This is not the case, for example, if no information is provided on a named subject of access, e.g. because the controller erroneously assumes that there is no claim to this effect.
In the same way, the claim was fulfilled with a final negative disclosure. It is sufficient if the controller declares that no data relating to a concretely requested subject of access (here: correspondence with third parties) has taken place beyond the information already provided.
Subsequently, the court stated with regard to the individual information requested that the controller had partially misunderstood the concept of personal data and (thus) the scope of the right of access, and thus the claim was not fulfilled.
Personal Data: No Requirement of "Essential Biographical Information"
To this end, the court refers to the legal definition of personal data in Article 4(1) GDPR and points out that the term is to be understood broadly. It is not limited to sensitive or private information, but potentially includes all types of information, both objective and subjective, in the form of opinions or assessments, provided that it is information about the person in question. The latter condition is met if the information is linked to a specific person by virtue of its content, purpose or effects.
Contrary to what is sometimes argued, Article 15 GDPR should not be teleologically reduced to require "essential biographical information". This would not be compatible with the case law of the CJEU on the broad understanding of personal data.
Knowledge of the Data Subject of Information Does Not Prevent the Right of Access
The court further states that it does not prevent a right of access if the data subject is already aware that a specific correspondence (including personal data) has taken place. According to Recital 63(1) GDPR, the right of access serves to ensure that the data subject can be aware, and verify, the lawfulness of the processing. Even if a data subject is aware of past correspondence, they cannot deduce from this whether the respective data are still currently being processed, in particular stored. Furthermore, it follows from recital 63(1) and Article 12(5)(2) GDPR that information can in principle be requested repeatedly, which also speaks against an exclusion of a claim in the case of knowledge.
Access Right also for Personal Data included in "Internal Processes”
The court also found that information in internal notes, for example on the health of a data subject or on statements made by the data subject in telephone conversations, must also be provided. The controller's statement that these were "internal processes" was not valid. Neither the wording nor the purpose of Article 15(1) GDPR required that personal data need to be accessible externally.
Assessment of the Legal Situation and Commission Payments to Third Parties Do Not Constitute Personal Data
Finally, the court refers to CJEU case law, according to which legal analyses may in principle contain personal data, but the assessment of the legal situation made on the basis of these data does not itself constitute personal data.
According to CJEU case law, data on commission payments made by the controller to third parties also have no personal reference.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
**Previous cases:**
Cologne Regional Court, June 19, 2019, Az: 26 S 13/18, Judgment
Brühl Local Court, March 7, 2017, Az: 24 C 407/17
**Judgment:**
The plaintiff's appeal against the judgment of the 26th Civil Chamber of the Cologne Regional Court dated June 19, 2019, is dismissed as inadmissible insofar as it pertains to the rejection of the intermediate declaratory action (claim no. 5).
Upon the plaintiff's appeal, the aforementioned judgment is set aside in terms of costs and insofar as the plaintiff's appeal regarding claims 3 and 4 was rejected.
To the extent of the reversal, the case is remanded to the appellate court for a new hearing and decision, including the costs of the appeal proceedings.
By law.
**Facts:**
1. The plaintiff asserts claims for data disclosure against the defendant insurer, insofar as relevant to the appeal proceedings.
2. The plaintiff entered into a contract with a legal predecessor of the defendant on July 1, 1997, for an endowment life insurance policy with additional disability insurance. By letter dated January 10, 2016, the plaintiff objected to the formation of the contract. Another legal predecessor of the defendant, P. Lebensversicherungs-AG, rejected the objection. By letter dated April 5, 2016, P. Lebensversicherungs-AG sent the plaintiff a "data overview pursuant to § 34 BDSG" at his request. During the legal dispute, the defendant provided further written information about the plaintiff's personal data processed by the defendant. The plaintiff believes that the information provided is incomplete.
3. The plaintiff filed a claim for a premium refund of €3,080.93 plus ancillary claims before the local court. Additionally, he requested the defendant to provide a complete "data disclosure in the sense of § 34 BDSG" and to swear an affidavit on the completeness and correctness of the information already provided.
4. The local court dismissed the lawsuit. In his appeal, the plaintiff continued to pursue his payment claim plus ancillary claims (claims 1 and 2) without change. He now based his request for information on Art. 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ 2016 L 119 p. 1, corrected in OJ 2016 L 314 p. 72 and OJ 2018 L 127 p. 2; hereinafter: GDPR) and requested the defendant to be ordered to:
(...)
5. 3. provide the plaintiff with complete data disclosure beyond the scope of appendix K37, pp. 1-4, and appendices BLD1-BLD10 by providing a copy - alternatively in text form;
6. 4. alternatively to 3., swear an affidavit on the completeness and correctness of the data disclosure provided so far;
7. 5. establish in advance pursuant to § 256 para. 2 ZPO that the plaintiff's right to data disclosure under Art. 15 GDPR in conjunction with Art. 4 GDPR extends to all data actually available about the plaintiff at the defendant's premises, including the plaintiff's internal personal data and the correspondence exchanged with him (including emails), the defendant's internal telephone and conversation notes and other internal notes on the insurance relationship between the parties and also the defendant's internal evaluations of the plaintiff's claims from the insurance policy in dispute.
8. The regional court dismissed the plaintiff's appeal - rejecting the intermediate declaratory action filed for the first time in the second instance as inadmissible - and admitted the appeal regarding the extent of the information claim under Art. 15 GDPR. The plaintiff continues to pursue claims 3 to 5 with his appeal.
**Reasons for the decision:**
I.
9. The appellate court, whose judgment is also published in CR 2019, 505, substantiated its decision as follows, insofar as relevant to the appeal proceedings:
10. The intermediate declaratory action is inadmissible. The prerequisite of § 256 para. 2 ZPO for the pending legal relationship to decide the legal dispute is missing. The sought declaration must relate to a matter that goes beyond the subject matter capable of res judicata of the legal dispute. Therefore, there is no room for an intermediate declaratory action if the judgment on the main action fully regulates the parties' legal relations.
11. The defendant has fully complied with the plaintiff's right to information under Art. 15 GDPR. The defendant provided various information and stated that no further personal data about the plaintiff was stored or processed in a pre-litigation communication dated April 5, 2016, and another letter dated December 13, 2018. The plaintiff did not specifically assert that the information already provided by the defendant was incomplete and to what extent he required further information. Past correspondence between the parties does not fall under the right to information, nor does information about internal processing notes or the premium account within the insurance history. The defendant stated that no further correspondence with third parties had been conducted.
12. The plaintiff cannot demand the affidavit sought alternatively because there are no indications that the information provided is incomplete or incorrect.
II.
13. The appeal is inadmissible insofar as it pertains to the rejection of the intermediate declaratory action. Insofar as it challenges the dismissal of the appeal regarding claims 3 and 4, the appeal is successful and leads to the partial reversal of the appellate judgment and remand of the case to the appellate court.
14. 1. The appeal is admissible pursuant to § 543 para. 1 no. 1 ZPO and otherwise admissible insofar as it challenges the dismissal of the appeal regarding claims 3 and 4. However, the appeal against the rejection of the intermediate declaratory action (claim 5) must be dismissed as inadmissible pursuant to § 552 para. 1 sentence 2 ZPO. In this respect, it is not admissible (§ 542 para. 1, § 543 para. 1 no. 1 ZPO), because it was not admitted by the appellate court. The appellate court admitted the appeal only regarding the extent of the information claim under Art. 15 GDPR in the judgment formula, thus effectively limiting the admission to claims 3 and 4, an independent factual and legal part of the overall dispute (cf. the requirements of a limitation of admission in the Senate judgment of May 2, 2017 - VI ZR 262/16, VersR 2017, 959 para. 15 mwN). The intermediate declaratory action raised by claim 5 also concerns the extent of the information claim under Art. 15 GDPR. However, it was rejected by the appellate court for procedural reasons due to the lack of pending legal relations (§ 256 para. 2 ZPO). The extent of the information claim under Art. 15 GDPR did not play a role in this respect. Therefore, the appellate court clearly did not want this decision to be reviewed by the court of appeal.
15. 2. Insofar as the appeal is admissible, it is also well-founded.
16. a) The appeal successfully challenges the appellate court's assessment that the plaintiff has no further right to information under Art. 15 GDPR against the defendant. The appellate court's reasoning cannot support the conclusion that the defendant has already fully satisfied the plaintiff's claims under this provision.
17. aa) The appellate court correctly assumes that the plaintiff's right to information under data protection law is governed by the directly applicable Art. 15 GDPR since May 25, 2018 (Art. 99 para. 2 GDPR; cf. Senate judgment of July 27, 2020 - VI ZR 405/18, BGHZ 226, 285 para. 12). According to Art. 15 para. 1 GDPR, the data subject has the right to obtain confirmation from the controller as to whether personal data concerning them is being processed; if so, they have the right to access this personal data and certain further information. Under Art. 15 para. 3 sentence 1 GDPR, the controller provides a copy of the personal data being processed.
18. bb) The appellate court further rightly assumes that the plaintiff is generally entitled to information under this provision about the personal data concerning him processed by the defendant as the controller within the meaning of Art. 4 no. 7 half-sentence 1 GDPR. However, its assumption that this right has already been fully satisfied by the defendant is legally flawed.
19. (1) An information claim is generally considered fulfilled in the sense of § 362 para. 1 BGB if the information is provided in the full scope owed according to the debtor's declared intention. If the information is provided in this form, any potential factual inaccuracies do not preclude fulfillment. The suspicion that the information provided is incomplete or inaccurate cannot justify a claim for further information. Therefore, for the fulfillment of the information claim, the information debtor's declaration that the information is complete is essential (cf. BGH, judgment of September 3, 2020 - III ZR 136/18, GRUR 2021, 110 para. 43 mwN).
20. The assumption of such a declaration requires that the information provided clearly covers the subject matter of the legitimate information request in its entirety. This is missing, for example, if the information debtor has not addressed a specific category of information, possibly because they mistakenly believe they are not obliged to provide information on these matters. In such cases, the information beneficiary can demand a supplement to
the information (cf. BGH, judgment of March 6, 1952 - IV ZR 45/50 and - IV ZR 16/51, BeckRS 1952, 103508 para. 28 f.; Bittner/Kolbe in Staudinger, BGB, Neubearb. 2019, § 260 para. 36 and § 259 para. 32).
21. (2) According to these standards, the appellate court's reasoning does not support the assumption that the plaintiff's data protection information claim has been fully fulfilled. Although the appellate court unchallengedly found that the defendant has already provided certain information to the plaintiff and stated that no further personal data about the plaintiff is stored or processed, the plaintiff has specified his information request in light of the information already provided, as indicated in his intermediate declaratory claim and the appellate hearing record, and as rightly pointed out by the appeal. He further requested information about the entire previously undisclosed correspondence between the parties, including data from the complete premium account and any second copies and amendments to the insurance certificate, as well as data information regarding all telephone, conversation, and assessment notes of the defendant concerning the insurance relationship. The appellate court did not establish that the defendant declared to have already provided complete information regarding these information subjects. The appellate court's view that these subjects do not fall under the information claim under Art. 15 para. 1 GDPR is based, at least partly, on a misunderstanding of the term "personal data" within the meaning of the GDPR and the purpose of the data protection information claim.
22. (a) According to Art. 4 no. 1 half-sentence 1 GDPR, "personal data" means any information relating to an identified or identifiable natural person. According to this definition and the case law of the European Court of Justice, the term is to be understood broadly. It is not limited to sensitive or private information but potentially includes all types of information of both objective and subjective nature in the form of opinions or assessments, provided that it is information about the person in question. This condition is met if the information, due to its content, purpose, or effects, is linked to a specific person (cf. - still on Art. 2 lit. a of Directive 95/46/EC - ECJ, judgment of December 20, 2017 - case C-434/16, NJW 2018, 767 para. 33-35 mwN; Art.-29 Data Protection Working Party, Opinion 4/2007, WP 136, 10 ff.; on Art. 4 no. 1 GDPR cf. Arning/Rothkegel in Taeger/Gabel, GDPR/BDSG, 3rd ed. 2019, Art. 4 GDPR para. 8 ff. mwN; Klar/Kühling in Kühling/Buchner, GDPR/BDSG, 3rd ed. 2020, Art. 4 no. 1 GDPR para. 11 ff.; Klabunde in Ehmann/Selmayr, GDPR, 2nd ed. 2018, Art. 4 para. 10 f.). The view that the term "personal data" within the meaning of Art. 15 GDPR should be teleologically reduced to significant biographical information that stands out in the document (so also Härting, CR 2019, 219, 224; for a teleological reduction also Britz/Beyer, VersR 2020, 65, 73 mwN) is clearly incompatible with the cited case law of the European Court of Justice, which can undoubtedly be applied to the term "personal data" within the meaning of Art. 15 in conjunction with Art. 4 no. 1 half-sentence 1 GDPR (see also König, CR 2019, 295 para. 47; against a restriction at the level of the elements of the offense also Lembke, NJW 2020, 1841, 1843; Schulte/Welge, NZA 2019, 1110, 1111; Brink/Joos, ZD 2019, 483, 488).
23. According to Recital 63 sentence 1 of the GDPR, the right of access concerning the personal data concerning the data subject serves the purpose of making the data subject aware of the processing (for the term, see Art. 4 no. 2 GDPR; for the area of processing covered by the substantive scope of the Regulation, see Art. 2 para. 1, Art. 4 no. 6 GDPR) and being able to verify its lawfulness.
24. (b) According to these principles, the past correspondence between the parties, the plaintiff's "premium account," and the insurance policy data, as well as internal notes and communication of the defendant, cannot be categorically excluded from the scope of Art. 15 para. 1 GDPR.
25. (aa) Letters from the plaintiff to the defendant are generally considered personal data in their entirety under Art. 4 no. 1 GDPR. The personal information already exists in that the plaintiff expressed himself according to the letter (cf. still on § 4 para. 1 BDSG 1990 - Senate judgment of June 23, 2009 - VI ZR 196/08, BGHZ 181, 328 para. 17; on Art. 15 GDPR cf. LArbG Baden-Württemberg, BB 2020, 2169, 2174). Letters from the defendant to the plaintiff are also subject to the information claim insofar as they contain information about the plaintiff according to the criteria mentioned above. The fact that the letters are already known to the plaintiff does not, in itself, exclude the data protection information claim (cf. Brink/Joos ZD 2019, 483, 485; Schmidt-Wudy in BeckOK DatenschutzR, 35th ed. 1.2.2021, Art. 15 GDPR para. 52.2; contrary to LArbG Niedersachsen, judgment of June 9, 2020 - 9 Sa 608/19, juris para. 66; for the opposing regulatory approach concerning the information obligations under Art. 13, 14 GDPR cf. Art. 13 para. 4, Art. 14 para. 5 lit. a GDPR and Recital 62). The defendant should provide information on whether it currently processes, especially stores, the personal data contained in the correspondence. The information should enable the plaintiff to be aware of the data processing and verify its lawfulness. He should be able to ensure that the data concerning him is correct and processed lawfully (cf. ECJ, judgment of December 20, 2017 - case C-434/16, NJW 2018, 767 para. 57). The plaintiff's mere awareness that the correspondence was once exchanged is insufficient. It should also be noted that the information beneficiary can generally request information repeatedly (cf. Recital 63 sentence 1, Art. 12 para. 5 sentence 2 GDPR). This also argues against the appellate court's view that the information right under Art. 15 GDPR is limited to data not yet known to the data subject. Therefore, any second copies and amendments to the insurance certificate, which are also covered by the plaintiff's information request according to the hearing record, are not categorically excluded from the data protection information claim as long as the personal data they contain is processed by the defendant. Similarly, it is not apparent why the data processed by the defendant regarding the plaintiff's premium payments should not be generally subject to the information claim.
26. The defendant's correspondence with third parties can also contain data related to the plaintiff, as the appellate court assumes. However, the appellate court unchallengedly found that the defendant stated that no such correspondence had been conducted beyond the already provided information. With this final negative disclosure, the plaintiff's information claim concerning this information subject is fulfilled.
27. (bb) Internal notes or internal communication at the defendant's premises containing information about the plaintiff are also generally subject to the information claim under Art. 15 para. 1 GDPR. This is the case, for example, with notes recording how the plaintiff expressed himself in telephone or personal conversations (cf. OLG Cologne, VersR 2020, 81, 85; Schaffland/Holthaus in Schaffland/Wiltfang, GDPR/BDSG, Lfg. 3/21, Art. 15 GDPR para. 1d). Notes on the plaintiff's health condition also contain personal data. The appellate court's consideration that notes are "internal processes of the defendant" is irrelevant regarding the term "personal data." The information claim under Art. 15 para. 1 GDPR obviously does not require the data to be externally accessible.
28. However, when the plaintiff requests information about the defendant's internal evaluations of his claims from the disputed insurance policy, it must be noted that, according to the European Court of Justice's case law, legal analyses may contain personal data, but the legal assessment itself does not constitute information about the data subject and thus does not represent personal data (cf. ECJ, judgment of July 17, 2014 - cases C-141/12 and C-372/12, CR 2015, 103 para. 39 ff.). Data on commission payments to third parties by the defendant also have no relation to the plaintiff's person according to the criteria developed by the European Court of Justice. Therefore, the plaintiff's information request regarding these subjects, as indicated by the appeal, cannot be based on the GDPR.
29. cc) A preliminary ruling procedure under Art. 267 TFEU to clarify the term "personal data" within the meaning of Art. 15 in conjunction with Art
. 4 no. 1 GDPR is not necessary. The interpretation of this EU legal term by the European Court of Justice's case law is unequivocally clear ("acte clair," cf. ECJ, judgment of October 6, 1982 - case C-283/81, NJW 1983, 1257, 1258; BVerfG, NVwZ 2015, 52 para. 35), as far as it is relevant at the current stage of the disputed proceedings.
30. b) The plaintiff's claim no. 3 is not dismissible for other reasons (§ 561 ZPO).
31. aa) Contrary to the counter-arguments of the appeal response, the information claim - claim no. 3 - is sufficiently specific in the sense of § 253 para. 2 no. 2 ZPO and therefore admissible (regarding the requirements of § 253 para. 2 no. 2 ZPO in general cf. Senate judgment of October 13, 2015 - VI ZR 271/14, BGHZ 207, 163 para. 19 mwN). The question is a procedural requirement to be examined by the court of appeal ex officio, irrespective of the limitation of the appeal admission (cf. Senate judgment of October 13, 2015 - VI ZR 271/14, BGHZ 207, 163 para. 18; BGH, judgment of October 10, 2017 - XI ZR 456/16, NJW 2018, 227 para. 10; each mwN).
32. To determine the plaintiff's claim, not only the application itself but also the reasoning of the claim must be considered (cf. Senate judgments of February 1, 2011 - VI ZR 345/09, AfP 2011, 172 para. 9; of May 26, 2009 - VI ZR 174/08, VersR 2009, 1269 para. 13; each mwN). Based on this, there is no doubt in the present case that the plaintiff is not requesting just any "data information" (as the wording of the application states) but information on the personal data concerning him processed by the defendant under Art. 15 para. 1 GDPR. The scope of this request is also sufficiently specific. It is irrelevant whether the demand for "complete" information is sufficient, as the extent ultimately results from the law (in this sense, König, CR 2019, 295 para. 9-11; contrary Schulte/Welge, NZA 2019, 1110, 1112). In any case, the plaintiff specified in the appellate proceedings, as mentioned above, which specific information he (still) requested.
33. bb) The appeal response's argument that the information claim does not exist because the plaintiff pursues purposes not protected by Art. 15 para. 1 GDPR and that the claims are opposed by the defense of the disproportionate effort associated with their fulfillment for the defendant and the defendant's confidentiality interest lacks corresponding factual findings in the appellate judgment. The Senate cannot assess whether the plaintiff's data protection claims under Art. 15 GDPR could be restricted or even extinguished based on these aspects, for example, according to the provisions of Art. 12 para. 5 sentence 2, Art. 15 para. 4 GDPR or Art. 23 para. 1 GDPR in conjunction with § 29 para. 1 sentence 2 BDSG, based on the established facts.
34. c) As claim no. 3 is not yet dismissible, the auxiliary claim no. 4 is not yet to be decided. Therefore, the question raised by the appeal response, whether § 260 para. 2 BGB applies to the information claim under Art. 15 para. 1 GDPR or whether the latter provision is exhaustive, does not yet arise.
III.
35. Therefore, the appellate judgment had to be set aside to the extent specified and the case remanded to the appellate court for a new hearing and decision, § 562 para. 1, § 563 para. 1 sentence 1 ZPO.
**Judges:**
Seiters
Offenloch
Oehler
Müller
Böhm
