In a judgment of 26.07.2019, the OLG Köln interpreted the right to information from the General Data Protection Regulation very broadly. Even if the judgment does not actually concern it law, it is very relevant for data protection law and therefore especially for all IT companies, which often store a lot of user data because of the nature of the case.
In the event of the action being dismissed, the defendant is ordered to send the plaintiff a “list of your personal data from the central data processing” and “establishment of your personal data from the data processing” already provided by letter of 10.08.2018. Life insurance contract No. … In addition, to provide information on all other personal data relating to him, in particular in conversation notes and telephone notes, which the defendant has stored, used and processed.
Among other things, the General Court deals very extensively with the conditions and, in particular, with the scope of the right to information, which the applicant asserted in this case, inter alia, in order to substantiate his actual claims.
In contrast to the case at first instance, the existence of a corresponding right to information must be measured in Article 15 of the General Data Protection Regulation.
[…]
According to Art. 15 GDPR, every data subject, i.e. every identifiable or identified person according to Art. 4 No. 1 GDPR, has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
The concept of “personal data” under Article 4 GDPR is broad and, according to the legal definition in Article 4(1) GDPR, includes all information relating to an identifiable natural person.
The provision thus covers both personal information used in context, such as identification characteristics (e.g. name, address and date of birth), external characteristics (such as gender, eye colour, height and weight) or internal states (e.g. opinions, motives, wishes, beliefs and value judgments), as well as factual information such as property and ownership, communication and contractual relations and all other relationships of the data subject with third parties and their environment. Such statements, which provide a subjective and/or objective assessment of an identified or identifiable person, also have a personal reference.
The following passage is particularly relevant:
In so far as the defendant wishes to see the concept of personal data limited to the master data already communicated and considers that an obligation to provide information on, in particular, electronically stored notes on telephone calls made with the applicant and other discussions, a corresponding understanding cannot be reconciled with the broad data concept underlying the GDPR. Because the development of information technology with its extensive processing and linking possibilities, there is no longer any inconsequential data. To the extent that statements made by the plaintiff or statements about the plaintiff are recorded in conversation notes or telephone notes, this is without further ado.
This also applies to the question of the protection of trade secrets:
Nor can the defendant successfully rely on the fact that a correspondingly broad concept of data would infringe its trade secrets. Notwithstanding all other questions, that is the case only because information made by the applicant himself to his insurance company cannot be vulnerable to him and therefore cannot be its trade secret.
It is also important to note that the court states that a person obliged to provide information is NOT prevented from accessing or searching for certain data. Everyone must create the opportunity internally to comply with a comprehensive claim for information.
In so far as the defendant considers that it is economically impossible for large companies, which, like them, would manage a large amount of data, with the resources at its disposal, to search and secure files for personal data, this does not catch in the way. . It is for the defendant, who uses electronic data processing, to organise it in accordance with the legal system and, in particular, to ensure that data protection and the resulting rights of third parties are taken into account.
Nor is there any reason to limit the defendant’s condemnation of the provision of information in the tenor that ‘the surrender concerns only data/information which does not affect the rights and freedoms of other persons under Article 15(1) of the Convention. 4 GDPR and the interests of the insurer guaranteed by fundamental rights’. Irrespective of the fact that the inclusion of such a restriction would raise the question of the sufficient determination of such a tenor, there is no need for such a. The obligation to provide information relates exclusively to the personal data relating to the applicant. It is also, of course, for the defendant to fulfil this obligation in accordance with the legal order and in particular the provisions of the GDPR and to grant the resulting data protection concerns of third parties. This does not limit their obligation to provide information. Nor is it for the General Court to determine, in the present case, how exactly the provision of information is to be made in the individual case. That would also not be possible, moreover, in particular since, despite the request, the defendant failed to make any submissions in the dispute as to what exactly it had stored and processed in addition to the applicant’s retained master data.