Germany’s highest civil court, the Federal Court Of Justice (Bundesgerichtshof, the FCJ), has just published a decision specifying the scope of data subject access requests (DSARs). The FCJ held that Article 15 of the EU General Data Protection Regulation (GDPR) has a broader scope than previously understood in Germany. Pursuant to the court’s decision, Article 15 GDPR also covers information already known about the data subject, previous correspondence and notes of internal processes or internal communications related to the data subject.
The defendant was a life insurance company and the claimant their insured. At first instance the claimant referred to pre-GDPR laws and lost the case; at second instance he based his DSAR on Article 15 GDPR and requested information on all personal data actually held by the defendant, specifying his requirements in more detail. The court of the second instance, the Regional Court of Cologne, dismissed the claim as it considered that the defendant had provided all information required under Article 15 GDPR. It held that the claimant failed to demonstrate that the information already provided by the controller was incomplete. The claimant appealed this decision to the FCJ.
The FCJ held that the defendant had not responded appropriately to the DSAR and went on to detail the scope of the data subject access right under Art 15 GDPR. In particular, the court held the following:
- No requirement of “essential biographical information”
With regards to the scope of the data subject access right, the FCJ refers to the legal definition of personal data in Article 4(1) GDPR. It points out that the term is to be interpreted broadly and is not limited to sensitive or private information, but potentially includes all types of information, both objective and subjective, in the form of opinions or assessments, provided that this information relates to the data subject. This is the case if the information can be linked to a specific person due to its content, purpose or impact.
Accordingly, the scope of Article 15 GDPR cannot be reduced to “essential biographical information” since such an interpretation would not be compliant with the case law of the ECJ on the term of personal data.
- Knowledge of the data subject of information is irrelevant
Further, the FCJ states that the data subject can still assert his access right if he is already aware of the specific correspondence (including personal data) between parties. According to Recital 63 sentence 1 GDPR, the right of access is intended to ensure that “the data subject can be aware, and verify, the lawfulness of the processing”. Moreover, it follows from Recital 63(1) and Article 12(5) sentence 2 GDPR that information can be requested repeatedly. Accordingly, a data subject could request to provide information even if he/she is aware of previous correspondence.
- Access right also for personal data included in “internal processes”
The FCJ also held that information in internal notes, for example on the data subject’s health a or on statements made by the data subject in telephone conversations, must also be provided. The defendant’s statement that these were “internal processes” is irrelevant. Neither the wording nor the purpose of Article 15(1) GDPR provides for that personal data needs to be externally accessible.
- Assessment of the legal framework does not constitute personal data
Finally, the FCJ refers to ECJ case law (judgement dated 17 July 2014, ref. no. C-141/12 und C-372/12), according to which legal analysis while it may contain personal data, does not constitute personal data as it is information about the assessment and application of the law to the data subject’s situation, provided that a summary of the personal data information held is provided. Accordingly, the legal assessment of the commission payments made by the controller to third parties, although it included the data subjects’ names, was not responsive to the request , according to ECJ case law.
The German FCJ refrained from referring the decision to the ECJ on the basis that the definition of what constitutes “personal data” is clearly settled by the case law of the ECJ.
With its decision, the FCJ broadened the scope of information that must be provided in response to DSARs in Germany.
The FCJ judgement is not really surprising, as it only clarifies that all personal data related to the data subject must be provided. Accordingly, companies must respond to data subject requests by providing comprehensive information which will require more effort. This also brings the risk (so prevalent already in the UK and Ireland) that DSARs will be used to “fish” for evidence for collateral disputes and claims. In this respect, companies are well advised to examine carefully possible restrictions and exclusions of the data subject access request due to disproportionality or the overriding rights and freedoms of third parties. For instance, employers might request employees to specify the processing activities or the information that they are looking for rather than to provide all information. The FCJ has not commented on these questions and they will very likely become the subject of disputes between data subjects and controllers in the near future.