Court case 8 U 2907/21 – Court Ruling (Germany, 2022)

The controller is a private health insurance company. The data subject is insured with the controller. The parties are in dispute about the invalidity of several premium increases as well as about the resulting claims for refunds. The data subject filed a lawsuit with the Regional Court of Ansbach (Landgericht Ansbach - LG Ansbach) requesting the refund of overpaid premiums as well as information from the controller on all adjustments to premiums in the form of insurance policies, supplements to these policies and all notification letters sent to the data subject during the contractual relationship. The Higher Regional Court Nuremberg (Oberlandesgericht Nürnberg - OLG Nürnberg) held that the data subject had no right to access under Article 15 GDPR because the controller was entitled to reject the request pursuant to Article 12(5)(b) GDPR. The court reasoned that this provision merely lists "repetitive character" as an example of an excessive request. However, the use of the word "in particular" makes it clear that the provision also intends to cover other forms of abusive requests. To assess what constitutes an abuse of the right to access, the court referred to the purpose Article 15 GDPR which according to Recital 63 is to enable the data subject to be aware of, and verify, the lawfulness of the processing. The court ruled that the data subject was obviously not interested in verifying the lawfulness of the processing but rather to check whether the adjustments made to the premiums were formally compliant with German insurance law. As a consequence, the court concluded that the request was abusive.