Court case 2 O 448/20 – Court Ruling (Germany, 2021)

The controller is a health insurance company. The data subject entered into a contract for private healthcare insurance with the controller. During the term of the contract, the controller repeatedly increased the premiums and informed the data subject accordingly. The data subject initially paid the increased premiums without reservation, but subsequently suspected unlawful premium adjustments. To obtain a refund of premiums, the data subject used a request for information in connection with a staged action pursuant to section 254 ZPO, and requested the controller to submit the supplements to the insurance policy, justifications for the adjustments, as well as further information sheets. The controller, however, claimed that the requested documents were no longer available and refused to send them. Moreover, they also stated that the request for information was inadmissible, as the information requested by the data subject did not serve to quantify the claim. The data subject then brought the action before court. The Court had to decide, inter alia, whether the data subject's request, if interpreted as a an access request under Article 15 GDPR, was admissible from a data protection perspective. The Court held that the access request was vexatious and declared the action partially inadmissible and unfounded. The claim was dismissed. According to the Court, the data subject's request was unfounded under both civil law and data protection law. The Court held that the request for information could not be regarded as an access request under Article 15(1) GDPR. According to Recital 63 GDPR, the right of access under Article 15 GDPR serves data subjects to be informed about the processing of their personal data and to verify the lawfulness of the processing. By making such requests, data subjects should be empowered to assess the scope and content of the data processed in order to be able to assert further rights under the GDPR. In the present case, the data subject