Court case 3 C 29/23 – Court Ruling (Germany, 2024)

The data subject, a holder of an insurance policy of an insurance company (the controller), sued after the controller adjusted the premium amounts of their policy. The data subject claimed the adjustments were not fully communicated in accordance with the German Insurance Contract Act ([https://www.gesetze-im-internet.de/vvg_2008/ Versicherungsvertragsgesetz] - VVG), which mandates that reasons for premium changes be disclosed, including whether they are temporary or permanent. The contract between the data subject and the controller had been in place for several years, with premium adjustments occurring over time. The data subject argued that the controller did not provide adequate information about these adjustments. They also sought access to personal data related to their insurance policy under Article 15 GDPR, including details of premium adjustments, tariff changes, and policy terminations. The controller denied the request, asserting that the necessary information had already been provided. The court held that the data subject's claim for information under Article 15(1) GDPR was justified. The personal data in question, relating to the data subject’s insurance relationship, were considered personal data as per Article 4(1) GDPR. The controller was required to provide information on the processing of these personal data, which included the time and amount of premium adjustments, tariff changes, and tariff terminations. The court rejected the controller’s argument that the data subject's request was abusive according to Article 12(5)(b) GDPR. It emphasized that the GDPR grants a very strong right to information, aimed at ensuring transparency and data sovereignty. The data subject’s request was not deemed excessive, as it sought data related to his own contractual relationship and indicated that he no longer had access to the information. The court affirmed that the controller could not deny the request based on the data subject's potential economic intere