Higher Regional Court of Cologne applies a (very) broad approach to a data subject’s right to access personal data

As the GDPR is preparing for its second birthday, the first judgements by higher regional courts are published.

It was inevitable that the first caseload would deal in particular with Article 15 GDPR (right of access by the data subject / request for information). One hot topic is the question regarding the scope of Article 15 GDPR. The practical question is how much personal data and which personal data a controller must provide to a data subject upon such a request. The language of Article 15 (1) and (3) sentence 1 GDPR indicates a very broad scope. However, Article 15 (4) GDPR allows for a more nuanced approach.

While different courts have taken different views, one court case dealing with a life insurance contract is particular important to note.

1. The Higher Regional Court of Cologne assumes an extensive scope of Article 15 GDPR

On July 26, 2019, the Higher Regional Court of Cologne, case no. 20 U 75/18, issued a recently published judgement declaring a very broad scope of Article 15 GDPR. In this case, the claimant filed a motion to obtain all personal data concerning him that was processed by the defendant. The parties had concluded a life insurance contract on November 1, 2000. The claimant wanted to obtain all personal data ever processed and still on file with regard to his life insurance contract.

The defendant wanted the concept of personal data to only cover master data (which it had already provided in this case). Further information, in particular electronically stored notes on telephone calls and other conversations with the claimant, should not be within the scope of Article 15 GDPR.

The court agreed with the claimant. Moreover, the court rejected the argument on limitation of personal data by the defendant. The GDPR does apply a broad concept of personal data (see Article 4 (1) GDPR) because of the development of information technology with its comprehensive processing and linking/matching possibilities. This means that there is no longer any irrelevant data (as already stated – and referenced by the Higher Regional Court of Cologne – in a very famous decision by the German Constitutional Court, dated December 15, 1983, case no. 1 BvR 209/83, with regard to the 1983 German Federal Census Act). Any information/data relating to an identified or identifiable natural person has to be considered personal data.

The Higher Regional Court of Cologne upheld that even conversation notes or telephone notes regarding the claimant, recorded statements of the claimant or recorded statements about the claimant are personal data. The defendant has to provide a copy of such data to the claimant, too.

Last but not least, the defendant was not permitted to argue the protection of its business secrets. Personal data – provided by the claimant or at least stated by the claimant and noted by the defendant – cannot be a business secret of the defendant.

2. Why might this be relevant for you?

Controllers have (or at least should have) implemented processes regarding data subject rights, including a process to deal with the right of access by a data subject. Many data subjects file such requests, especially during a dispute (e.g., with regard to an action against unfair dismissal). It might be worth looking into the scope of information that a controller is able to produce upon request. Controllers should even take telephone notes and/or conversational notes concerning data subjects into account.

If more (higher) courts follow the underlying reasoning, this court judgement might have an incredible influence in the future (especially if one day the European Court of Justice shares this opinion as well).