Customer (Data subject) – Court Ruling (Germany, 2024)

The data subject was in a dispute with a health insurance company (the controller) about premium adjustment issues in their insurance plan, and associated missed explanation obligations. The data subject repeatedly used their right to access information via Article 15 GDPR to obtain data about the contribution history of the insurance contract. The data subject's original access request sought extensive documentation (all correspondence and attachments). The controller refused such frequent and extensive requests, citing Article 12(5) GDPR, which allows a controller to refuse or charge a reasonable fee for excessive or repetitive requests. The court confirmed that only the personal data of the data subject falls within the scope of Article 15 GDPR. The mere fact that some documents like formal letters or appended documents in insurance correspondence exist does not mean the entire document collection is personal data if only parts of them relate to the data subject. The court explicitly stated that an access request may be repeated and the existence of prior disclosures does not extinguish the right to access further relevant personal data, so a controller cannot claim that a prior fulfillment of a request automatically precludes subsequent valid requests under Article 15 GDPR. The court further held that the broad set of documents originally requested by the data subject was too general and did not meet this requirement. Only specific documents about the data subject’s insurance relationship were treated as identifiable personal information. The court granted the data subject a more narrowly tailored access right to certain personal data, which requires the controller to provide a copy of specific personal information about the data subject’s contract for the years 2017 to 2019, including the dates and amounts of old and new insurance contributions, the dates of insurance plan changes and the dates when the insurance plans were terminated.