Court case 332 O 243/21 – Court Ruling (Germany, 2023)

The data subject and the controller – an insurance company – had a civil proceeding concerning the increase of the contributions the data subject was expected to pay to be insured with the controller. In particular, the data subject claimed that such increases were illegitimate. To prove this point, the data subject requested access to their personal data pursuant to Article 15 GDPR. The controller denied access. Therefore, the data subject requested the Regional Court of Hamburg (Landgericht Hamburg – LG Hamburg) to order the controller to provide access to the information at issue. The court adjudicated on the access request in the context of the broader civil proceeding pending between the parties. The court rejected the data subject’s claim. In particular, the court found that the controller could refuse to consider the data subject’s access request pursuant to Article 12(5)(b) GDPR. As a matter of fact, the request was ‘excessive’ and could be framed as a case of abuse of right. According to the court, the purpose of Article 15 GDPR is expressed by Recital 63 of the Regulation, which clearly states that an access request should enable a data subject to become aware of data processing involving their data and check the lawfulness of processing operations. In the present case, the data subject tried to Article 15 GDPR for a purpose that had nothing to do with data protection. The dispute between data subject and controller was in reality only an insurance law dispute.