Court case 18 O 204/21 – Court Ruling (Germany, 2022)

The controller is a private health insurance company. The data subject is a customer of the controller. The parties are in dispute about the validity of several increases to the insurance premiums. The data subject requested refund of overpaid premiums as well as information on all adjustments to the premiums in the form of notification letters sent to the data subject and supplements to the insurance policy to verify the lawfulness of the increases. The controller rejected both claims. Consequently, the data subject filed a lawsuit against the controller with the Regional Court of Essen (Landgericht Essen - LG Essen). The Regional Court of Essen rejected the data subject's claim entirely. Regarding the notification letters, the court concluded that the data subject has no right to access under Article 15 GDPR , because the notification letters are standardised letters sent to every policy holder and, therefore, not personal data under Article 4(1) GDPR. Moreover the court found that the controller can refuse to act on the request according to Article 12(5)(b) GDPR, because the request is excessive. The court held that the "repetitive character" of a request is just an example under Article 12(5) GDPR and that an access request can also be considered excessive if the request does not serve the purpose of verifying the lawfulness of the processing as stated in Recital 63. The court then established that the data subject's request does not serve this purpose but solely aims at verifying the validity of the premium increases.