Scope and implementation of the right of access under data protection law

Germany

The scope of the right of access under data protection law pursuant to Article 15 GDPR is controversial. This is leading to uncertainties as to how to fulfil that right. 

In autumn 2023, the European Data Protection Board (EDPB) announced that the third Coordinated Enforcement Framework (CEF) of the national data protection authorities will focus on the rights of access under Article 15 European General Data Protection Regulation (GDPR). This campaign has now begun and the German data protection authorities are also involved. The right of access under data protection law is therefore likely to grow further in importance in 2024. This is a good reason to take a look at the most important court decisions on the scope and implementation of the right of access under Article 15 GDPR.

Key data subject right of access under data protection law: Article 15 (1) and (3) GDPR

The rights of access under Article 15 (1) and (3) GDPR are key rights of data subjects vis-à-vis the data controller. The scope of the right to copies of data (Article 15 (3) GDPR) and the legal consequences in the event of a violation of Article 15 GDPR have not been conclusively clarified, even though it has been more than five years since the GDPR came into force. This article is intended to provide an overview.

BAG: No opinion on the scope of the right to copies of data on the grounds of an indeterminate petition

On 27 April 2021, the German Federal Labour Court (BAG) (2 AZR 342/20) became the first of Germany's highest courts to comment on Article 15 GDPR. However, because the BAG rejected the petition for procedural reasons and therefore did not address the substantive scope of the right, the judgment did not lead to any clarification of the scope and limits of the right to copies of data. 
The decision was based on a claim by a former employee. The claimant requested information from their former employer about what data it was processing related to them and a copy of these data. The court considered the petition for a copy to be provided to be insufficiently specific. Pursuant to section 253 (2) no. 2 German Code of Civil Procedure (ZPO) requests for access must be formulated clearly enough and the cause of action must be defined clearly enough that the scope of the judgment and the extent of the legal effect of the decision are unambiguous both in the event of a judgment granting the petition and in the event of a decision rejecting it. Against this background, the BAG ruled that the claimant had been too imprecise in designating the emails they had requested copies of. According to the BAG, if it is not possible to specifically name the emails at the time the action is brought, the data subject must assert the right of access by means of a so-called action by stages (Stufenklage) pursuant to section 254 German Code of Civil Procedure (ZPO). In this way, the scope of the right can first be determined (by ordering the defendant to submit an affirmation in lieu of an oath) and then, in the second stage, the emails can actually be disclosed. The BAG ruled similarly in another case in its judgment dated 16 December 2021 (2 AZR 235/21).

Particularly in labour court proceedings, Article 15 GDPR plays a decisive role. Former employees or rejected applicants often request access under Article 15 GDPR and in the event of incorrect fulfilment demand compensation under Article 82 GDPR (e.g. Hamm Regional Labour Court (LAG Hamm), judgment dated 11 May 2021 – 6 Sa 1260/20 and the German Federal Labour Court (BAG) in the following instance with the judgment dated 5 May 2022 – 2 AZR 363/21). The dates for the hearings in two further proceedings before the BAG (8 AZR 91/22, 8 AZR 124/23) related to Article 15 and Article 82 GDPR are scheduled for 20 June 2024. 

BGH: Broad interpretation of the right of access according to Article 15 GDPR

A very far-reaching interpretation of the right of access can be derived from the decision of the German Federal Court of Justice (BGH) dated 15 June 2021 (VI ZR 576/19). In particular, the BGH is in favour of an unlimited interpretation of the term "personal data" as defined in Article 4 No 1 GDPR and rejects a teleological reduction to merely "significant biographical information". According to the BGH, the right of access under data protection law also exists with regard to data already known to the claimant, e.g. past correspondence between the parties. Internal notes and communication, both about and with the data subject, are therefore also personal data within the meaning of the GDPR and may be the subject of a claim under Article 15 (1) GDPR (as previously asserted by the Cologne High Regional Court (OLG Köln), judgment dated 19 June 2019 – 20 U 75/18). In its judgment, however, the BGH only commented specifically on the question of whether and to what extent these are personal data that are subject to the right of access under Article 15 (1) GDPR. Whether the disclosure of a copy can be requested in addition and to the same extent pursuant to Article 15 (3) GDPR was not the subject of the proceedings. 

Limits of the rights of access and to recover possession under Article 15 GDPR

Nevertheless, the BGH has indicated certain limits to the right of access. For example, there should be no right of access to information about internal assessments of the claims (such as legal analyses), as the assessment of the legal situation made on the basis of these data does not constitute information about the data subject and therefore does not constitute personal data. The BGH has ruled similarly on premium adjustments in private health insurance, which are regularly the subject of claims for access and legal proceedings (German Federal Court of Justice (BGH), judgment dated 6 February 2024 – VI ZR 15/23; German Federal Court of Justice (BGH), judgment dated 6 February 2024 – VI ZR 62/23; German Federal Court of Justice (BGH), judgment dated 21 February 2024 – IV ZR 311/22; German Federal Court of Justice (BGH), judgment dated 27 September 2023 – IV ZR 177/22). 

Irrespective of the case law of the BGH, the GDPR itself also provides connecting factors for a possible restriction on requests for access under Article 15 GDPR.

The right derived from Article 15 GDPR may be restricted by national regulations or the rights and freedoms of others

The right to receive a copy can be restricted by the rights and freedoms of third parties pursuant to Article 15 (4) GDPR. Recital 63 sentence 5 GDPR cites trade secrets, intellectual property rights and copyright as examples. The controller must be able to demonstrate that the rights or freedoms of others would be adversely affected in the specific situation. Even if this is successful, however, the information may not be refused outright as a rule. In practice, this means that, for example, the names of third parties must be made illegible in documents so as not to reveal their identity. In individual cases, however, the controller may be required to name third parties after weighing up the interests involved (see German Federal Court of Justice (BGH), judgment dated 22 February 2022 – VI ZR 14/21). 

In addition, national provisions pursuant to Article 23 GDPR in conjunction with sections 27 ff. German Federal Data Protection Act (BDSG) may lead to restrictions on the right of access (e.g. in the case of special confidentiality obligations or in connection with research and archiving purposes). However, the scope of application of these exceptions is relatively limited in practice. In addition, it has not yet been conclusively clarified whether these individual exemption provisions even conform with EU law.

No information if an abusive or excessive claim is asserted – but what counts as such?

In accordance with Article 12 (5) sentence 2 (b) GDPR, the controller may disregard requests for information that are manifestly unfounded or excessive. The relevant controller bears the burden of demonstration and the burden of proof that this is the case. The threshold for the acceptance of abuse is quite high in practice. Excessive requests may exist if the claim for access is repeated several times (denied e.g. by the Brandenburg Higher Regional Court (OLG Brandenburg), judgment dated 28 February 2024 – 11 U 161/23). For example, the Wuppertal Regional Court (LG Wuppertal) has assumed an abuse of rights when the data subject already has the information requested in full (judgment dated 19 September 2023 – 16 O 40/23). The Hamm Higher Regional Court (OLG Hamm) also ruled that a request for access pursuant to Article 15 GDPR is an abuse of this right if the claim is not asserted on grounds pursuant to recital 63 GDPR and the data subject is not concerned with verifying the admissibility of the processing of personal data under data protection law (decision dated 15 November 2021 – 20 U 269/21). This decision was based on a request by a claimant with private health insurance, the only demonstrable purpose for whose request for access pursuant to Article 15 GDPR was to review premium adjustments that had been made so that they could calculate any repayment claims with the information provided (similar circumstances: Brandenburg Higher Regional Court (OLG Brandenburg), judgment dated 29 September 2023 – 11 U 332/22). In contrast, the Celle Higher Regional Court (OLG Celle) ruled in a comparable case that claims for access under Article 15 GDPR are not strictly bound by their purpose and do not necessarily have to pursue the objective of verifying the lawfulness of the instance of data processing (judgment dated 15 December 2022 – 8 U 165/22). This also corresponds to the view of the Court of Justice of the European Union (CJEU), which has since clarified that the right exists regardless of the intention pursued and is not limited to the purposes stated in recital 63 GDPR (more on this below).

Only the CJEU can establish real legal certainty: the scope of the right of access and the right to copies is taking shape

The past few years have seen a lot of movement in discussions surrounding the scope of the right of access and the right to copies under Article 15 GDPR. It would appear that the national data protection authorities have predominantly taken the view that the right to copies applies to the same extent as the right of access pursuant to Article 15 (1) second half-sentence, option 1 GDPR and therefore is not restricted to just the meta information provided under Article 15 (1) second half-sentence, option 2 GDPR. The Munich Higher Regional Court (OLG München) also favoured an extensive interpretation of Article 15 (3) GDPR and assumed an independent right in this respect (judgment dated 4 October 2021 – 3 U 2906/20). Nevertheless, even after the decisions in the highest instance from the BAG and the BGH, there was no uniform understanding of the law. 

It was therefore all the more to be welcomed that the Court of Justice of the European Union (CJEU), as the supreme judicial body of the European Union, ruled on Article 15 GDPR on several occasions in 2023. 

According to the CJEU there is an obligation to disclose the specific identity of the data recipient

The CJEU ruled that the controller is generally required pursuant to Article 15 GDPR to disclose the specific identity of the data recipients when providing access (see judgment dated 12 January 2023 – C-154/21). The CJEU argued that the data subject needed this information to assert other data subject rights, such as rectification or erasure. The controller can limit their response to naming the categories of recipients only in the case of a manifestly unfounded or excessive request for access or if, exceptionally, identification is not possible at the time the access is provided. 

Similarly the CJEU ruled later in the year in its judgment dated 22 June 2023 (C-579/21). In this case, an employee of a bank who was also its customer learnt that other employees had accessed their personal data. In this respect, the CJEU found that the time and purpose of the queries are covered by the right of access, but the identity of the person making the query is not. The only circumstances under which this is not the case are if the data subject is prevented from exercising a right under the GDPR without the information about the identity of the person making the enquiry and if the right to privacy of the person making the enquiry is safeguarded. Further proceedings for a preliminary ruling on similar questions are currently pending before the CJEU in case C-203/22.

The CJEU has commented on the term "copy" within the meaning of Article 15 GDPR

In a long-awaited judgment dated 4 May 2023 (C-487/21), the CJEU ruled on the term "copy" within the meaning of Article 15 GDPR. According to the CJEU, the right to copies requires that the data subject be provided with a faithful and intelligible reproduction of their data. The right derived from Article 15 (3) GDPR was also held to cover extracts from documents, entire documents and extracts from databases, insofar as they are necessary for the data subject to assert further rights. However, the rights and freedoms of other people must also be taken into account. Ultimately, the court held that Article 15 (1) GDPR regulates the scope and subject matter of the right of access, while Article 15 (3) GDPR describes the modalities for fulfilling the obligation. Accordingly, Article 15 GDPR cannot be interpreted to the effect that subsection (3) should grant a right that deviates from subsection (1).

CJEU: First-time access is always free of charge, even for motives unrelated to data protection

In October 2023, the CJEU ruled (C-307/22) that patients have the right pursuant to Article 15 GDPR to receive one initial copy of their complete patient file free of charge. This includes all its content (e.g. diagnoses, examination results, findings) and applies regardless of the purpose the patient pursues with the information. The matter referred by the BGH was based on a case in which a patient requested free information from their dentist under Article 15 GDPR because they suspected medical malpractice. The advocate-general had already delivered the opinion that the right of access under the GDPR does not depend on the intention to use the information in question for data protection purposes. The dentist had originally stated that they would only make the file available in return for payment of the copying costs in accordance with section 630g (2) sentence 2 German Civil Code (BGB). The CJEU clarified that such costs can only be reimbursed to the dentist if the patient submits a new request for access after the first free request for access. 

The EDPB's guidelines on the right of access under Article 15 GDPR

The EDPB has also dealt in depth with the right of access under data protection law and it published its final guidelines in March 2023 ("Guidelines 01/2022 on data subject rights – Right of Access – Version 2.0"). These guidelines also indicate that Article 15 GDPR must be interpreted broadly so that the threshold for data subjects to exercise the right of access is as low as possible. In particular, the options for rejecting requests for access are to be interpreted restrictively according to the EDPB. For example, according to the guidelines, a request for access may not be rejected (exclusively) on account of high processing costs. Although the EDPB's guidelines and opinions are not binding, particularly for courts, they can provide significant benchmarks for dealing with requests for access. In this respect, the flow chart provided by the EDPB on page 61 of the guidelines appears to be particularly helpful for handling these in practice. One of the objectives of the aforementioned coordinated action of the EDPB and the national data protection authorities on Article 15 GDPR is to find out whether there is any need to adapt the current guidelines.

Practical implementation: Defining technical and organisational processes

The broad interpretation of Article 15 GDPR poses a challenge for many enterprises. Therefore, to be able to respond to GDPR requests for access efficiently and on time, it is advisable to develop suitable technical and organisational processes before any claims are received. Established data governance is recommended, particularly against the backdrop of the very tight monthly deadlines and the increasing use of data over the course of the digital transformation (especially for using artificial intelligence). 

All relevant bodies should be informed of the right of access under Article 15 GDPR and clearly defined workflows should be established in advance, taking into account responsibilities and deadlines. The EDPB guidelines can be used to orient the internal processes, as they contain, among other things, information on the formal requirements for responding to a request for access and on how to identify the person requesting information when necessary. When providing information in electronic form, care must be taken to ensure that certain security measures are taken depending on the protection requirements of the data (e.g. the Suhl Labour Court considered information provided to a former employee by means of an unencrypted email to be a violation of Article 5 GDPR, judgment dated 20 December 2023 – 6 Ca 704/23). Ultimately, it may be useful in practice to prepare a written response template that contains the information required in Article 15 (1) (a) to (h) GDPR at the very least.

Staged procedure for extensive requests for access

In the event of an enquiry under Article 15 GDPR, it is advisable to provide information promptly as to whether the data subject's personal data are being processed. The data subject should also be informed if this is not the case. If the data subject's data are only processed to a small extent (e.g. to send them a newsletter), this should be stated in the initial feedback in accordance with the requirements of Article 15 GDPR. However, if the controller processes extensive personal data of the data subject (e.g. in the case of former employees who were at the enterprise for many years), it may make sense to respond to the request for access in stages (e.g. the EDPB in its "Guidelines 01/2022 on data subject rights – Right of Access – Version 2.0" on p. 4, 46f; 10. Tätigkeitsbericht (10th Activity Report 2020 (bayern.de) on p. 50f.). 

Violations of the right of access can result in fines and compensation claims

Violations of the right of access in Article 15 GDPR not only can be penalised by the data protection authorities with fines, but also can trigger compensation claims from the data subject pursuant to Article 82 GDPR. If access is not provided at all, is not provided in full or is provided late, the data subject may suffer non-material damage. The compensability of such damage has long been denied by some national courts with reference to the need to reach a so-called materiality or de minimis threshold (e.g. Leipzig Regional Court (LG Leipzig), judgment dated 23 December 2021 – 03 O 1268/21). In its judgment dated 4 May 2023 (C 300/21), however, the CJEU ruled in the highest instance that no materiality or de minimis threshold must be exceeded to claim compensation for non-material damage. Nevertheless, even in the opinion of the CJEU, a claim is not automatically triggered by every GDPR infringement, but instead only if the data subject can prove causal damage. 

Our regularly updated German blog post on the case law on compensation in accordance with Article 82 GDPR provides up-to-date information on this topic. The CMS Enforcement Tracker provides an overview of GDPR fines.