Support Centre

North Rhine-Westphalia: Cologne Higher Regional Court issues decision on right of access and definition of personal data

The Cologne Higher Regional Court ('the Court') issued, on 26 July 2019, its decision No. 20 U 75/18, addressing the right of access and definition of personal data under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Dr. Carlo Piltz, Attorney at Law at reuschlaw Legal Consultants, provides insight into the reasoning of the decision and its interpretation of GDPR provisions.

bernie_photo / Signature collection / istockphoto.com

The Court, as an appellate court in a legal dispute between a policyholder and their insurance company, expressed its opinion on the scope of applicability of the right of access, pursuant to Article 15 of the GDPR, and on the definition of 'personal data.' Before the direct applicability of the GDPR in Germany, according to Section 34 of the previous German Federal Data Protection Act (which also provided for a right of access), the Aachen Regional Court ('the Aachen Regional Court') only recognised a claim for information for the master data of the data subject, but not for further data such as conversation notes and internal notes about the data subject, created by the insurer.

Although the GDPR was not yet applicable at the time of the Aachen Regional Court's decision, the Court is of the opinion that amendments to the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) must also be taken into account, which the Aachen Regional Court could not apply because they had not yet come into force.

The first main issue addressed in the decision is the scope of 'personal data.'
 
According to Court, the term 'personal data' is to be understood very broadly. The Court stated that personal data within the meaning of Article 4(1) of the GDPR are all information relating to an identifiable natural person. This definition includes personal information used in context, such as:

  • identification features, such as name, address, and date of birth;
  • external features, such as gender, eye colour, height, and weight;
  • internal conditions, such as opinions, motives, wishes, convictions, and value judgments;
  • factual information, such as asset and ownership relationships, communication and contractual relationships; and
  • all other relationships between the person concerned and third parties.

Such statements that provide a subjective and/or objective assessment of an identified or identifiable person also have a personal reference. Consequently, it is sufficient for data to be classified as personal data if it refers indirectly to a natural person.
 
The Court further explained that limiting the definition of 'personal data' to the master data already communicated, as well as the view that there is no obligation to provide information on, in particular, electronically stored notes on telephone calls and other conversations conducted with the data subject, cannot be reconciled with the provisions of the GDPR. Due to the development of IT, with its comprehensive processing and linking capabilities, there is no longer irrelevant data, as provided by the German Federal Constitutional Court judgment of 15 December 1983, Ref. 1 BvR 209/83. Insofar as statements by the data subject or statements about the data subject are recorded in memos of conversations or telephone notes, these are to be considered personal data, which fully fall within the scope of the GDPR.
 
In particular, the broad statement that 'no more irrelevant data exists,' could lead to a situation where internal correspondence between data controllers and data subjects could also be subject to a right of access request. According to the Court, a right of access request is limited only to the extent that a correspondingly broad definition of data could violate trade secrets. However, information provided to the controller by the data subject themselves cannot be considered to require protection from the controller and therefore cannot constitute a business secret.
 
Moreover, companies should not be able to rely on the fact compiling information to fulfil a right of access request would constitute a disproportionate effort, since it is the responsibility of the controller who uses electronic data processing to organise it in accordance with the legal provisions of the GDPR and, in particular, to ensure that data protection and the rights of third parties resulting therefrom are taken into account.

In the Court's judgment, the appeal on questions of law was only admitted for the question of the scope of the right of access, according to Article 15 of the GDPR. If the defendant appeals on questions of law only, the dispute will then be forwarded to the Federal Supreme Court. If the Federal Supreme Court has fundamental questions regarding Article 15 of the GDPR, it could submit the fundamental question to the Court of Justice of the European Union ('CJEU') according to the requirements of Article 267 of the Treaty on the Functioning of the European Union.
 
In this regard, the CJEU decided on the question of the scope of the right of access with the old legal situation under the Data Protection Directive (Directive 95/46/EG) ('the Directive') (judgment of 20 December 2017, C-434/16, Peter Nowak v Data Protection Commissioner1). If the question were be submitted now, the CJEU would have the possibility to decide the same on the applicability of the GDPR. In the Peter Nowak v Data Protection Commissioner judgment, the CJEU had decided that the written answers given in a job-related examination and any remarks of the examiner on these answers, represent personal data of the examinee, who has in principle the right to access their data. In another decision relating to the right of access under the Directive, the CJEU took a stricter view and held that the 'data subject cannot derive, from either Article 12(a) of the Directive or Article 8(2) of the Charter of Fundamental Rights of the European Union, the right to obtain a copy of the document or the original file in which those data appear.' As a consequence, according to the CJEU, the right of access only encompasses the data as such, but not the document containing them.

Dr. Carlo Piltz Attorney at Law
[email protected]
reuschlaw Legal Consultants, Berlin

1. Available at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=AE0141B4009BA05D7C49EB844507EB78?text=&docid=199621&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3171