BGH - VI ZR 576/19
|BGH - VI ZR 576/19|
|Relevant Law:||Article 4(1) GDPR|
Article 15 GDPR
|National Case Number/Name:||VI ZR 576/19|
|European Case Law Identifier:||ECLI:DE:BGH:2021:150621UVIZR576.19.0|
|Appeal from:||LG Köln|
26 S 13/18
|Original Source:||Entscheidungsdatenbank des Bundesgerichtshofs (in German)|
The German Federal Supreme Court specified the scope and requirements for the fulfilment of a right of access. Among other things, a right of access is not limited to "essential biographical information" and also extends to data in "internal processes".
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is a life insurance company with which the data subject is insured. Even before the introduction of the GDPR, the data subject asserted a claim for information pursuant to § 34 of the old version of the German Data Protection Act (BDSG). The controller provided some information. However, the data subject was of the opinion that the information provided was incomplete.
The claim subsequently asserted in court was dismissed at first instance.
In the second instance, the data subject based his request for information on Article 15 GDPR, which has since entered into force. The data subject requested information on all personal data actually held by the defendant, which were subsequently specified in more detail.
The court of second instance rejected the right to information, arguing that the claim had already been fully satisfied. The data subject had not specifically shown that the information already provided by the controller was incomplete and what further information he was demanding. Furthermore, the requested items were not subject to the right of access.
The data subject appealed this decision to the Federal Supreme Court (Bundesgerichtshof, BGH).
Holding[edit | edit source]
The appeal against the denied right of access was successful. The data subject was entitled to information to the extent claimed. The claim was not fulfilled by the controller and insofar still existed to the extent asserted. The BGH refrained from a preliminary ruling since the interpretation of the law is clearly defined by the CJEU ("acte clair").
Requirements for the Fulfillment of a Right of Access[edit | edit source]
The court first explains under which conditions a right of access is fulfilled.
This is the case if, according to the controller's declared intention, the information constitutes the information owed in its entirety. If the information is provided in this form, any inaccuracy in its content does not prevent performance. The suspicion that the information provided was incomplete or incorrect could not justify a claim to information to a greater extent. Essential for the fulfillment of the right of access was therefore the - possibly implied - declaration by the controller that the information was complete.
The controller must declare that the information provided is identifiably intended to fully meet the data subject's access request. This is not the case, for example, if no information is provided on a named subject of access, e.g. because the controller erroneously assumes that there is no claim to this effect.
In the same way, the claim was fulfilled with a final negative disclosure. It is sufficient if the controller declares that no data relating to a concretely requested subject of access (here: correspondence with third parties) has taken place beyond the information already provided.
Subsequently, the court stated with regard to the individual information requested that the controller had partially misunderstood the concept of personal data and (thus) the scope of the right of access, and thus the claim was not fulfilled.
Personal Data: No Requirement of "Essential Biographical Information"[edit | edit source]
To this end, the court refers to the legal definition of personal data in Article 4(1) GDPR and points out that the term is to be understood broadly. It is not limited to sensitive or private information, but potentially includes all types of information, both objective and subjective, in the form of opinions or assessments, provided that it is information about the person in question. The latter condition is met if the information is linked to a specific person by virtue of its content, purpose or effects.
Contrary to what is sometimes argued, Article 15 GDPR should not be teleologically reduced to require "essential biographical information". This would not be compatible with the case law of the CJEU on the broad understanding of personal data.
Knowledge of the Data Subject of Information Does Not Prevent the Right of Access[edit | edit source]
The court further states that it does not prevent a right of access if the data subject is already aware that a specific correspondence (including personal data) has taken place. According to Recital 63(1) GDPR, the right of access serves to ensure that the data subject can be aware, and verify, the lawfulness of the processing. Even if a data subject is aware of past correspondence, they cannot deduce from this whether the respective data are still currently being processed, in particular stored. Furthermore, it follows from recital 63(1) and Article 12(5)(2) GDPR that information can in principle be requested repeatedly, which also speaks against an exclusion of a claim in the case of knowledge.
Access Right also for Personal Data included in "Internal Processes”[edit | edit source]
The court also found that information in internal notes, for example on the health of a data subject or on statements made by the data subject in telephone conversations, must also be provided. The controller's statement that these were "internal processes" was not valid. Neither the wording nor the purpose of Article 15(1) GDPR required that personal data need to be accessible externally.
Assessment of the Legal Situation and Commission Payments to Third Parties Do Not Constitute Personal Data[edit | edit source]
Finally, the court refers to CJEU case law, according to which legal analyses may in principle contain personal data, but the assessment of the legal situation made on the basis of these data does not itself constitute personal data.
According to CJEU case law, data on commission payments made by the controller to third parties also have no personal reference.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.