Court case 20 U 146/22 – Court Ruling (Germany, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled that an insurance company could refuse a customer's request for data access because the request was excessive. The customer wanted information to check insurance premium changes, not for data protection reasons. This decision clarifies when companies can deny data access requests.
What happened
An insurance company refused a customer's data access request related to premium adjustments, and the court upheld this decision.
Who was affected
An insurance policyholder who requested access to data about their premium adjustments.
What the authority found
The court decided that the insurance company could deny the access request because it was used for purposes outside of data protection, making it excessive under GDPR.
Why this matters
This ruling helps define the boundaries of data access requests, showing that requests must align with data protection purposes. Companies can deny requests that are clearly unrelated to data protection, but they should be cautious in assessing the purpose.
GDPR Articles Cited
The data subject and the controller – an insurance company – litigated about the lawfulness of some premium adjustments in the data subject’s insurance policy. In this context, the data subject made an access request with the controller in order to obtain information on the basis of which the adjustments were triggered. The controller refused to comply with the data subject’s access request. The court of first instance aligned with the controller and declared the data subject’s action inadmissible. The Higher Regional Court of Hamm (Oberlandesgericht Hamm – OLG Hamm) upheld the court of first instance’s decision. The court did not exclude that in principle some of the information requested by the data subject were personal data within the meaning of Article 4(1) GDPR. Nevertheless, in this case the controller had the right to disregard the request in light of Article 12(5)(b) GDPR, as the latter was excessive. To ascertain whether an access request is excessive it is necessary, among others, to verify if the request pursues the goal of Article 15 GDPR, to be read in light of recital 63. In particular, an access request should enable a data subject to be aware of any processing operations concerning their personal data and check the lawfulness of said processing. In the present case, the data subject used instead the access request for a purpose which did not fall within the scope of data protection, namely to check whether premium adjustments were lawful under insurance law. The court stressed that this does not automatically entail that the data subject shall motivate their access request or distinguish between data protection purposes and other purposes. However, in cases where it is clear that the only purpose of the request is not related to data protection, the controller has a right to refuse to comply with the request. Finally, the court acknowledged that the issue could be the object of a preliminary reference to the CJEU. However, being the OLG Hamm not
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 20 U 146/22 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 20 U 146/22 - Germany (2023). Retrieved from cookiefines.eu
Last updated: