Court case VI ZR 370/22 – Court Ruling (Germany, 2024)

The data subject had a contract with a bank (the controller) from 1986 to 2000. Another bank informed the data subject that the controller had a claim against the data subject based on a Schufa (credit ranking agency) entry. Because of this, the data subject could not get a loan. Subsequently, the data subject requested access from the controller about the type and the scope of the personal data stored about the data subject. The controller objected to this request, stating that the request was too extensive and provided information to the extent that it considered was lawful. The data subject argued that this information was incomplete and asked again for access. The controller refused to provide further information. The data subject then filed a lawsuit at the District Court of Seligenstadt (Amtsgericht Seligenstadt - AG Seligenstadt) against the incomplete answer to the access request and claimed non-material damages. The District Court then ordered the controller to provide access under Article 15(1)(a) - (h) GDPR, and additionally the means of data processing, the media on which the data was stored, the frequency of deletion of the data subject's personal data, each location where the data was stored, whether a cloud was used for storage, which data was deleted in the last twelve months, the technical and organisational measures for processing and profiling of the data subject's personal data, how security was ensured, which data threats occurred, and the name of the data protection officer (DPO). However, the District Court did reject the compensation for non-material damages. The data subject appealed the decision at the Regional Court of Darmstadt (Landgericht Darmstadt - LG Darmstadt) and requested the Regional Court to order the controller to provide complete information under Article 15 GDPR, and reformulated its request to include all notes and assessments on the data subject, the algorithms used by the controller to evaluate the data, all processors