LG Hamburg - 332 O 243/21

From GDPRhub
LG Hamburg - 332 O 243/21
Courts logo1.png
Court: LG Hamburg (Germany)
Jurisdiction: Germany
Relevant Law: Article 12(5)(b) GDPR
Article 15 GDPR
Decided: 26.04.2023
Published:
Parties:
National Case Number/Name: 332 O 243/21
European Case Law Identifier: ECLI:DE:LGHH:2023:0426.332O243.21.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Landesrecht Hamburg (in German)
Initial Contributor: mg

A German court held an access request ‘excessive’ and ‘abusive’ pursuant to Article 12(5)(b) GDPR, as its purpose was not strictly related to data protection but to other rights and interests of the data subject.

English Summary

Facts

The data subject and the controller – an insurance company – had a civil proceeding concerning the increase of the contributions the data subject was expected to pay to be insured with the controller. In particular, the data subject claimed that such increases were illegitimate. To prove this point, the data subject requested access to their personal data pursuant to Article 15 GDPR. The controller denied access. Therefore, the data subject requested the Regional Court of Hamburg (Landgericht Hamburg – LG Hamburg) to order the controller to provide access to the information at issue. The court adjudicated on the access request in the context of the broader civil proceeding pending between the parties.

Holding

The court rejected the data subject’s claim. In particular, the court found that the controller could refuse to consider the data subject’s access request pursuant to Article 12(5)(b) GDPR. As a matter of fact, the request was ‘excessive’ and could be framed as a case of abuse of right. According to the court, the purpose of Article 15 GDPR is expressed by Recital 63 of the Regulation, which clearly states that an access request should enable a data subject to become aware of data processing involving their data and check the lawfulness of processing operations. In the present case, the data subject tried to Article 15 GDPR for a purpose that had nothing to do with data protection. The dispute between data subject and controller was in reality only an insurance law dispute.

Comment

The interpretation adopted by the court is excessively restrictive and does not find any support in the text of the Regulation. Recitals cannot be used to limit the level of protection established by the GDPR. Moreover, the idea that a data protection right can only be used to facilitate other data protection rights is in contrast with the spirit of this fundamental right as such, being data protection often instrumental to other rights and interests, including constitutional freedoms.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

If you see this message, you do not have JavaScript activated in your browser. Please activate JavaScript to use the citizen service.