Financial advisory firm (controller) – Court Ruling (Germany, 2024)

The data subject was an employee of the controller, a financial advisory firm. On 11 April 2019, the data subject requested copies of all personal data the controller held about them under Article 15(3) GDPR, covering the years from 1 January 1997 to 31 March 2018. The controller provided a standard disclosure of stored information but did not supply actual copies of documents. The data subject then sued for damages and specifically sought court orders requiring the controller to hand over copies of all personal data, including telephone notes, file memos, minutes of conversations, emails, letters, and subscription documents related to investments. The case progressed through the regional court and higher regional court, which differed on the scope of what must be provided. Both controller and data subject appealed previous decisions. First, the court clarified that the right under Article 15(3) GDPR to receive a “copy” of personal data does not automatically extend to entire documents simply because they contain personal data. It held that documents the data subject themself authored (such as emails and letters to the controller) are in their entirety personal data and must be supplied as copies because the personal data is inherent in the document. Documents or parts of documents created by the controller (such as telephone notes, file memos, minutes, letters from the controller, or investment subscription forms) are not wholly personal data of the data subject as they may contain mixed information. Second, it clarified that the controller must provide only those portions that constitute the data subject’s personal data and need not turn over entire documents if parts are unrelated to the personal data. Finally, the court therefore limited the data subject’s entitlement to copies of their own emails and letters held by the controller and dismissed requests for broader document disclosure.