In 2019 the Cologne Higher Regional Court issued a decision on the scope of the right to information under Article 15(1) of the EU General Data Protection Regulation (GDPR) that has enormous implications for insurers that collect or process personal data.

Facts

The plaintiff had taken out a life insurance policy with an additional occupational disability policy with the defendant.(1) A dispute arose as to the date from which the plaintiff became occupationally incapacitated in accordance with the terms of the insurance contract.

It was undisputed between the parties that the plaintiff was incapacitated at least as of 1 August 2014. The defendant granted the plaintiff benefits from the insurance policy. The plaintiff claimed that he had already been seriously ill with depression in 2008, even though he had not notified insurers until 2014.

The plaintiff demanded an occupational disability pension from 1 September 2008, as well as complete information on the personal data relating to him.

In the first instance, the Cologne Regional Court dismissed the action and rejected the claim for information regarding the plaintiff's personal data.

Decision

The appeal was rejected with regard to the claim for benefits from the occupational disability insurance as the plaintiff was unable to prove that he:

  • had been seriously ill in 2008; and
  • was not at fault for not notifying the insurer – 'forgetting' about an insurance policy would not absolve him from fault.

However, the plaintiff was successful with regard to the data disclosure: the Cologne Higher Regional Court found the action to be well founded in this respect and specified what is or can be included in policyholders' personal data in general.

Pursuant to Article 15 of the Federal Data Protection Act, which implemented the GDPR in Germany, every data subject has the right to obtain from the controller confirmation as to whether personal data concerning them is being processed. If this is the case, data subjects have, among other things, a right of access to such personal data.

The term 'personal data' according to Article 4 of the GDPR must be construed broadly and includes, according to the legal definition in Article 4(1), all information relating to an identifiable natural person. Thus, the provision covers personal information used in context, such as:

  • identifying characteristics (eg, name, address and date of birth);
  • external characteristics (eg, gender, eye colour, height and weight);
  • internal states (eg, opinions, motives, wishes, convictions and value judgements);
  • factual information (eg, asset and property relationships, communication and contractual relationships); and
  • all other relationships between the data subject and third parties and their environment.

Statements that provide a subjective or objective assessment of an identified or identifiable person also have a personal reference.

The court held that, insofar as the defendant wished to see the concept of personal data limited to the master data already disclosed and believed that there was no obligation to provide information about, in particular, electronically stored notes from telephone calls and other conversations conducted with the plaintiff, such an understanding cannot be reconciled with the broad concept of data underlying the GDPR. This is because the development of information technology with its comprehensive processing and linking possibilities means that there is no longer any such thing as inconsequential data.

According to the Cologne Higher Regional Court, the defendant could not successfully plead that a correspondingly broad definition of data would violate its business secrets. Irrespective of all other questions that may arise, this applied because information that the plaintiff himself provided to his insurer did not require protection from the latter and thus could not be its business secret.

Insofar as the defendant believed that it would be economically impossible for large companies that manage an extensive database to search and back up files for personal data with the resources at their disposal, this was not valid according to the Cologne Higher Regional Court. The court held that it was up to the defendant, which used electronic data processing, to organise it in accordance with the legal system and, in particular, to ensure that data protection and the rights of third parties arising therefrom were taken into account.

Comment

The Cologne Higher Regional Court's decision on the scope of the right to information under Article 15(1) of the GDPR has enormous implications for all companies that collect or process personal data, especially insurers which offer all types of policy, not just life and occupational disability insurance policies.

The right to information pursuant to Article 15 of the GDPR covers not only the so-called 'master data' in the relationship between the insurer and the policyholder, but also telephone and conversation notes that the insurer has stored, used and processed with reference to the policyholder.

The party obliged to provide information may not plead that it is economically impossible for it to search and secure files for personal data with the resources available. It is the responsibility of the controller which uses electronic data processing to organise it in accordance with the legal system and, in particular, to ensure that data protection and the rights of third parties arising therefrom are taken into account.

Violations of the right to information under Article 15(1) of the GDPR can be punished with significant fines of up to €20 million or up to 4% of the total worldwide annual turnover of the previous fiscal year pursuant to Article 83(5)(b) of the GDPR.

Endnotes

(1) Decision of the Cologne Higher Regional Court, 26 July 2019 – 20 U 75/18.