Tax Authority – Court Ruling (Germany, 2022)

In 2020, the data subject requested access to data concerning him from the tax authority (the controller) after a tax audit had been carried out on his wife. The controller replied that the data processed in this context did not concern the data subject. In February 2021, the controller reported a data breach to the competent supervisory authority. In the course of the tax audit, the case handler had sent the data subject's mobile phone number to his wife's work email address via unencrypted email without his consent. Subsequently, the data subject filed a complaint with the German Federal Data Protection Authority (BfDI). In March 2021, the data subject filed an action for information. In particular, he desired information on all data about him stored by the controller since 1972, a copy of the data and the deletion of all data. The Finance Court Berlin-Brandenburg fully rejected the data subject's claim. First, regarding the data subject's right to access pursuant to Article 15(1) GDPR, the court held that the data subject was not entitled to the requested unlimited and unspecified data disclosure. It stated that this right against controllers who process large amounts of data only exists if the request is sufficiently specified. The court rejected the data subject's view which mainly referred to the wording of the provision. Instead, it made a systematic argument. The court used Recital 63(7) GDPR and a comparison with Article 14(5)(b) GDPR according to which the fulfilment of information obligations vis-à-vis a person affected by a data collection from third parties can be omitted if the provision of this information proves to be impossible or would require a disproportionate effort. Here, the court emphasised that some scholars even apply Article 14(5)(b) GDPR analogously to Article 15(1) GDPR even though it did not create an analogy itself. In particular, the court argued that, if Article 15(1) GDPR had to be interpreted widely, the exercise of comprehensi