We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
04 May 2021
In 2019 the Cologne Higher Regional Court issued a decision on the scope of the right to information under Article 15(1) of the EU General Data Protection Regulation (GDPR) that has enormous implications for insurers that collect or process personal data.
The plaintiff had taken out a life insurance policy with an additional occupational disability policy with the defendant.(1) A dispute arose as to the date from which the plaintiff became occupationally incapacitated in accordance with the terms of the insurance contract.
It was undisputed between the parties that the plaintiff was incapacitated at least as of 1 August 2014. The defendant granted the plaintiff benefits from the insurance policy. The plaintiff claimed that he had already been seriously ill with depression in 2008, even though he had not notified insurers until 2014.
The plaintiff demanded an occupational disability pension from 1 September 2008, as well as complete information on the personal data relating to him.
In the first instance, the Cologne Regional Court dismissed the action and rejected the claim for information regarding the plaintiff's personal data.
The appeal was rejected with regard to the claim for benefits from the occupational disability insurance as the plaintiff was unable to prove that he:
However, the plaintiff was successful with regard to the data disclosure: the Cologne Higher Regional Court found the action to be well founded in this respect and specified what is or can be included in policyholders' personal data in general.
Pursuant to Article 15 of the Federal Data Protection Act, which implemented the GDPR in Germany, every data subject has the right to obtain from the controller confirmation as to whether personal data concerning them is being processed. If this is the case, data subjects have, among other things, a right of access to such personal data.
The term 'personal data' according to Article 4 of the GDPR must be construed broadly and includes, according to the legal definition in Article 4(1), all information relating to an identifiable natural person. Thus, the provision covers personal information used in context, such as:
Statements that provide a subjective or objective assessment of an identified or identifiable person also have a personal reference.
The court held that, insofar as the defendant wished to see the concept of personal data limited to the master data already disclosed and believed that there was no obligation to provide information about, in particular, electronically stored notes from telephone calls and other conversations conducted with the plaintiff, such an understanding cannot be reconciled with the broad concept of data underlying the GDPR. This is because the development of information technology with its comprehensive processing and linking possibilities means that there is no longer any such thing as inconsequential data.
According to the Cologne Higher Regional Court, the defendant could not successfully plead that a correspondingly broad definition of data would violate its business secrets. Irrespective of all other questions that may arise, this applied because information that the plaintiff himself provided to his insurer did not require protection from the latter and thus could not be its business secret.
Insofar as the defendant believed that it would be economically impossible for large companies that manage an extensive database to search and back up files for personal data with the resources at their disposal, this was not valid according to the Cologne Higher Regional Court. The court held that it was up to the defendant, which used electronic data processing, to organise it in accordance with the legal system and, in particular, to ensure that data protection and the rights of third parties arising therefrom were taken into account.
The Cologne Higher Regional Court's decision on the scope of the right to information under Article 15(1) of the GDPR has enormous implications for all companies that collect or process personal data, especially insurers which offer all types of policy, not just life and occupational disability insurance policies.
The right to information pursuant to Article 15 of the GDPR covers not only the so-called 'master data' in the relationship between the insurer and the policyholder, but also telephone and conversation notes that the insurer has stored, used and processed with reference to the policyholder.
The party obliged to provide information may not plead that it is economically impossible for it to search and secure files for personal data with the resources available. It is the responsibility of the controller which uses electronic data processing to organise it in accordance with the legal system and, in particular, to ensure that data protection and the rights of third parties arising therefrom are taken into account.
Violations of the right to information under Article 15(1) of the GDPR can be punished with significant fines of up to €20 million or up to 4% of the total worldwide annual turnover of the previous fiscal year pursuant to Article 83(5)(b) of the GDPR.
For further information on this topic please contact Carolin Schilling-Schulz or Wassilis Thomas at Arnecke Sibeth Dabelstein by telephone (+49 40 31 779 70) or email (firstname.lastname@example.org or email@example.com). The Arnecke Sibeth Dabelstein website can be accessed at www.asd-law.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.