Insurance company ordered to cover the cost of repairs for a customer Summary A customer of a health insurance company • The Court concluded that the data subject has a experienced an increase in his premiums. Subsequently, legitimate interest in using GDPR, Article 15(3) to after paying the premium for a period, he requested reduce an asymmetric level of information between a refund, as well as access to all supplementary themselves and the controller to protect their rights. documents related to the insurance policy and Moreover, the Court noted that the right to access notification letters sent to him during the contractual must not depend on an unverifiable assertion relationship. about the inner motivation of a data subject. The Regional Court of Aachen ruled in favor of the data Our remarks subject in the initial hearing. However, the controller • The right to access is independent of the right (the insurance company) appealed the decision, to a copy of the data and should be construed arguing that GDPR, Article 15 only requires transparency extensively to provide individuals with a complete of processed data and does not grant access to picture of how their data is being used. documents. The controller further contended that granting access to such a wide range of documents • Controllers cannot reject a request for access would be an impermissible discovery of evidence, unless it is excessive or unfounded and must contrary to the principle of civil procedural law. Lastly, provide access to any supplementary information the controller claimed that the data subject’s request related to the data. Be aware that the burden of was excessive under GDPR, Article 12(5) as it was meant proof that a request is excessive lies with you as the to verify the validity of premium increases, not the controller. lawfulness of the processing. • Data controllers must not restrict or limit the right The Decision of the Higher Regional Court of to access based on the motivation or purpose of Köln (OLG Köln) the request and must consider the overall purpose of the GDPR to protect the rights and freedoms of OLG Köln rejected the controller’s arguments, ordering individuals in relation to their personal data. them to pay and cover the cost of repairs to the data subject (~2000 EUR) as well as providing access to the ° Be aware, however, that even though this case is documents in question with the following holdings: conclusive and persuasive, it differs from other cases. For example, the Danish DPA has, in a similar case, • The Court found that the right to a copy is ruled that a father could not gain access to the data independent from the right to access and gives the processed about his daughter at a sports club, since data subject a right to a copy of the data in its raw his motivation was not to secure the lawfulness of the form (GDPR, Articles 15(1) and 15(3)). data processing, but to gain access to his daughters • The Court rejected the controller’s arguments that dancing class schedule. Link to article. the request was excessive under German Civil Code or GDPR, Article 12(5). It reasoned that the overall purpose of the GDPR is to protect all rights and freedoms of the individual against harm and risks arising from the processing of personal data, not just those enshrined in data protection law. Published: 13-0-2022 Journal number: 20 U 295/21 Tags: 02 Right of access and obligation to provide information 60