Bank – Court Ruling (Germany, 2022)

In 2019, the data subject, a bank, received a letter from the controller, the tax authority, informing it of a number of investigation results and announcing that the data subject would have to pay the taxes in the cases discovered by the investigation. Furthermore, the letter contained tax summary reports on the change of the data subject's capital gains tax filings in tax matters of various investment funds. Subsequently, the data subject applied to the controller for the right to be heard and to inspect and access the files, based on the German Fiscal Code (Abgabenordnung - AO) and Article 15 GDPR. The controller refused, arguing that the data subject already had knowledge of the files on capital gains tax and that all other documents listed were part of investigation files in criminal tax proceedings conducted by public prosecutor's office. Regarding the investigation files, the controller questioned whether Article 15 GDPR was even applicable. It stated that the data subject might be able to substantially complicate investigations if given access. The data subject argued that it did not have full knowledge of the data processed. It claimed that when balancing the parties' interests, its own would outweigh the controller's. The Financial Court of Munich (FG München) had to decide whether the data subject had a claim under Article 15 GDPR, what was the scope of the data subject's claim and whether the claim was satisfied by granting access to individual documents or providing copies. The FG München dismissed the claim. It held that, while the data subject generally would have a right to access pursuant to Article 15(1) GDPR, that did not encompass the data in question. First, the court established that the GDPR applies to the bank as a data subject since § 2a(5) AO orders the corresponding application of the GDPR to entities with or without legal capacity such as the data subject in this case. Then, the court clarified that there is no general right to inspe