Update Data Protection No. 103
Federal Court of Justice on the Scope of the Right to Access pursuant to Article 15(1) GDPR
In its ruling of June 15, 2021 (Case No. VI ZR 576/19), the German Federal Court of Justice (BGH) for the first time took a comprehensive position on the scope of the right to access pursuant to Article 15(1) GDPR. Article 15 GDPR standardizes the right of access of a data subject vis-à-vis a controller. Pursuant to Article 15(1) GDPR, a data subject may ask the controller to provide information on whether he/she is processing personal data relating to him/her and, if so, to provide access to such data and further information. The right to access is accompanied by the right to be provided with a copy of the personal data processed by the controller pursuant to Article 15(3) GDPR.
The question of exactly which data is covered by the right to access and the right to a copy has been the subject of a multifaceted dispute in recent years (also see Data Protection Update Nos. 58, 74 and 95). Case law has also not taken a uniform position in this regard. This has resulted in a large number of different rulings by various (lower-instance) courts, specifically on the right to a copy. In some cases, there is a very restrictive interpretation that requires the controller to provide only a copy of all the data subject's master data or restricts the right to a copy to personal data that the data subject does not possess themself. In contrast, however, there is also a very broad interpretation favorable to the data subject, which obligates the controller to comprehensively provide a copy of all documents containing personal data of the data subject.
In the present ruling, the BGH has, for the first time, commented on the scope of the right to access under Article 15(1) GDPR and takes a very far-reaching interpretation, which also obligates the controller to hand over comprehensive documents should they contain personal data. However, the court does not address the right to be provided with a copy pursuant to Article 15(3) GDPR. Ultimately, the BGH thereby blurs the contours between the right to access pursuant to Article 15(1) GDPR and the right to copy pursuant to Article 15(3) GDPR, so that, in the future, we can continue to expect difficulties in distinguishing between the two.
Facts of the case
The plaintiff concluded a life insurance contract with the legal predecessor of the defendant in 1997. In 2016 – at that time still on the basis of the German Federal Data Protection Act (BDSG) – he demanded for the first time information on which data the defendant was processing which concerned him. The defendant sent the requested data. The subsequent dispute, which went before the courts, primarily concerned the question of whether this data access – now based on Article 15 GDPR – was complete or whether the defendant still had to hand over further documents, such as correspondence between the parties, information on the plaintiff's "premium account," data on the insurance policy, and internal notes and internal communications of the defendant concerning the plaintiff. While the first two instances still affirmed completeness, the BGH now ruled that the right to access went further than the defendant (and the lower courts) had assumed and that the information had therefore not been sufficient. Rather, the defendant was obligated to hand over comprehensive documents insofar as these contained personal data of the plaintiff.
Essential content of the Decision
First of all, the BGH stated that the concept of personal data pursuant to Article 4 no. 1 GDPR is to be interpreted broadly under reference to the case law of the ECJ. In doing so, the BGH adopts the definition of the ECJ, according to which the term is not limited to particular "significant" information, but potentially includes all types of information of both an objective and subjective nature in the form of personal letters, opinions or assessments, provided that it is information linked to the person at issue (ECJ, judgment dated December 20, 2017 - Case C-434/16). Accordingly, the BGH rejects the opinion that the concept of personal reference should be understood differently, i.e. more narrowly, in the case of Art. 15 GDPR. According to the BGH, the term should rather be interpreted uniformly and thus broadly within the scope of the GDPR.
The BGH then goes on to address the scope of the right to access. The purpose of the right of access is to enable the data subject to verify the legitimacy of the processing. Based on this, according to the BGH, both the past correspondence of the parties, information on the "premium account" of the plaintiff, data of the insurance policy as well as the internal notes and the internal communication of the controller are in principle covered by Article 15 GDPR. The data subject's own statements in letters to the controller are in their entirety information relating to the data subject and thus personal data. This also applies to the letters of the controller – both internal and to third parties – insofar as they contain information about the plaintiff.
At this point, the BGH also clearly rejects the argument that access does not have to be provided if the data subject already has the information. On the one hand, Article 15 GDPR lacks a provision like Article 13(4) GDPR, which explicitly provides for such an exception. In addition, Article 15 GDPR also permits repeated requests for information, which is why known data is also covered. Finally, the right of access can only fulfill its purpose for the data subject – namely to know the current and specific processing operations and to check their legitimacy – if all the data is included which is processed at the time of the access. The fact that the data subject already knows that certain data is available to the controller is not sufficient for this purpose. In line with this, according to the BGH, the controller must also (again) provide, for example, the letters created by the data subject themself, as well as documents already provided to the data subject. In this specific case, the latter concerned information on premium payments to the plaintiff, which was already known to him.
Furthermore, the BGH ruled that, for the question of whether personal data existed, it was irrelevant as to whether it was information from internal processes of the controller. In other words, according to the BGH, such data is also subject to the right of access. The court does see an exception – again based on ECJ case law – in the case of internal assessments (here on the plaintiff's claims). Such legal analyses may indeed contain personal data. However, the assessment of the legal situation itself does not contain any information about the data subject (ECJ, judgment of July 17, 2014 - Cases C-141/12 and C-372/12) and is therefore not covered by the right to access.
For controllers, the ruling is likely to mean a considerable amount of additional work. This is particularly true for large organizations where personal data — especially records related to a data subject — are processed in different departments and sectors. They must now ensure that all relevant documents are the subject of access (pursuant to Article 15(1) GDPR) and provide a corresponding copy of these documents. Legal analyses and assessments, for example, are excluded. In this respect therefore, not all documents that are created in relation to a data subject can be considered the same as personal data of the data subject. A distinction must be made here between the data on which assessments are based and the assessment itself. In contrast, internal notes and evaluations on the data subject, for example, must be provided as part of the access. Otherwise, there is a risk of fines and claims for damages.
Unfortunately, the ruling does not contain any remarks on the delimitation of the right to a copy pursuant to Article 15(3) GDPR. The BGH ruling blurs the boundaries between the right to access under Article 15(1) GDPR and the right to a copy under Article 15(3) GDPR. According to the BGH, the controller must already send copies of the relevant documents as part of the right to access. Likewise, the judgment hardly contains any explanations about the limitations and exceptions in connection with Art. 15 GDPR. However, these must also be reviewed by controllers in a second step before deciding whether and how a request for access should be complied with. The BGH has cited, for example, extraneous purposes pursued by the request for access, a disproportionate effort on the part of the controller, and confidentiality interests, as possible exceptions. This point is of interest for several reasons. On the one hand, in the case of the exceptions explicitly mentioned by law (Article 12(5) sentence 2 GDPR, Article 15(4) GDPR, Section 29(1) sentence 2 German Federal Data Protection Act (BDSG), Section 34(1) BDSG), many questions remain unanswered due to a lack of case law and unclear wording. On the other hand, there is no explicit reason for exclusion for extraneous purposes, for example. In this respect, it remains to be seen whether the BGH will include these under "obviously unfounded" requests for information within the meaning of Article 12(5) sentence 2 or whether it will carry out a general weighing of interests here.
It is also unclear how specifically the request for access has to be phrased. Whereas the German Federal Labor Court [BAG] in its judgment (BAG, judgment of April 27, 2021 - 2 AZR 342/20), when referring to the enforceability of a judgment, did not find it sufficient that comprehensive data access on all emails relating to a specific email address was requested, the German Federal Court of Justice expressly left this question open, since in its case a more precise specification resulted in any case from the statement of the grounds for the action and the negotiations. The court, however, suggested that it might be sufficient for the scope of such a request to be apparent from the law. Then it would again be a question of proportionality, namely, to what extent a controller would have to comply with comprehensive and relatively indeterminate requests.
Conclusion and recommendation
The dispute about the scope and definition of the right of access and the right to copy pursuant to Article 15 GDPR will continue. The Austrian Supreme Court, for example, referred the question to the ECJ as to whether the controller has a right of choice to "only" name the categories of recipients or whether it must name the specific recipients if they are known to it (öOGH, decision of February 18, 2021 - ref. 6 Ob 159/20f). In addition, the exceptional circumstances under which access can be refused or restricted will come further into focus.
Irrespective of this, it is now important for controllers to adapt their internal processes for providing information – where necessary – to ensure that all personal data relating to a data subject is provided within the statutory one-month period. Accordingly, the ruling of the BGH also requires that documents such as correspondence, notes, etc. must be released in many cases. In doing so, which documents must be released and what information may need to be redacted, for example, when it concerns confidential information of third parties or trade secrets, must be carefully examined. In addition, further developments should definitely be monitored.