OLG Koblenz - 10 U 1633/22

From GDPRhub
OLG Koblenz - 10 U 1633/22
Courts logo1.png
Court: OLG Koblenz (Germany)
Jurisdiction: Germany
Relevant Law: Article 12(5) GDPR
Article 15(3) GDPR
Decided: 20.07.2023
Published:
Parties:
National Case Number/Name: 10 U 1633/22
European Case Law Identifier: ECLI:DE:OLGKOBL:2023:0720.10U1633.22.00
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: Rheinland-Pfalz (Germany) (in German)
Initial Contributor: mg

A higher German court held that an access request pursuant to Article 15 GDPR is not “excessive” when it purses objectives different from data protection.

English Summary

Facts

The data subject and the controller were bound by an insurance contract. The controller increased the premium and the data subject claimed that such an increase was unlawful. Therefore, the data subject made an access request, to which the controller refused to reply.

The data subject challenged the lawfulness of the premium increase in court and contextually asked the judge to order the controller to provide access to the requested information.

The court of first instance dismissed the data subject’s access claim, stating that the latter was merely instrumental to prove the unlawfulness of the premium increase, without any autonomous data protection purpose.

The data subject appealed the decision.

Holding

The Higher Regional Court of Koblenz (Oberlandesgericht Koblenz – OLG Koblenz) overturned the first instance judgement.

First, the court stressed how information concerning premium increases in an insurance agreement, like in general all contract details related to an individual, are personal data within the meaning of Article 4(1) GDPR.

Second, the court referred to the CJEU judgement in case C-487/21 to clarify the scope of the data subject’s right to a copy of their personal data pursuant to Article 15(3) GDPR. The data subject had a right to a faithful and understandable reproduction of all their personal data processed by the controller. The court also pointed out how the right to a copy shall enable the data subject to enforce further data protection rights, such as right to erasure, rectification or objection.

Finally, the court stated that the controller could not rely on Article 12(5) GDPR to avoid to reply to the access request. As a matter of fact, that is possible only insofar as a request is manifestly unfounded or excessive. It was uncontested by the controller that personal data were processed, therefore the request was not manifestly unfounded. Regarding the “excessiveness” of the access request, the court of first instance held that it did not directly serve data protection purposes. However, the court pointed out to the fact that Article 15 GDPR does not impose any motivation obligation. The data subject is indeed not forced to state the reasons of their request, that are irrelevant from the perspective of the European law-maker. To support this argument, the court also quoted the AG Opinion in pending case C-307/22, where the AG stated that an access request is not limited to the purposes listed in Recital 63.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

If you see this message, you do not have JavaScript activated in your browser. Please activate JavaScript to use the citizen service.