Everyone has the right to information about their personal data. This is what the GDPR provides for.
The right to information has two levels
The right to information is a central element of data protection. Everyone should be able to find out what a company knows about them, for example. The right consists of two levels. In stage 1, the data subject can request information about whether data relating to him or her is being processed at all. If this is not the case, the answer is no. If it is, the answer is yes.
The personal reference of data goes a long way
In the „yes“ case, level 2 of the claim follows. Then the data subject can demand information about all the data requested that relates to him or her. This goes very far. It really covers everything that is available about a person. The Federal Court of Justice has made this clear using the example of a life insurance policy. According to this, the claim includes, for example:
- all correspondence between the insurance company and the insured person
- all data of the insurance account
- all telephone notes and notes of conversations containing facts about the insured person
But, see Federal Labor Court, judgment of April 27, 2021, file no. 2 AZR 342/20
The Erfurt judges ruled that a blanket request for unspecified copies or documents is not sufficiently specific. Responsible parties must therefore continue to provide information, but they only owe the provision of copies of precisely designated documents.
Honesty is the best policy
What if the company has expressly forbidden „personal notes“ about customers, but they still exist? Then the existence of these notes is often concealed when the company has information compiled. The consequence: The information is incomplete! In the worst case, this can cause the company considerable legal trouble.
The information is often the basis for further claims
The General Data Protection Regulation (GDPR) grants the right to information so that the data subject can exercise further rights. For example, if the data subject discovers that data in the disclosure is incorrect, he or she will demand that this data be corrected. Of course, this also serves data protection and is fine.
Where does the abuse begin?
Sometimes, however, a request for information is made in a completely different way. For example, a customer requests information from a company about all the data that concerns him. This happens while a legal dispute – for example, because of alleged defects in a delivery – is already in the air. In this case, the customer is not concerned about data privacy. Sometimes, in such cases, a customer also says quite
openly that he is looking for additional evidence for a legal dispute.
The courts are still wavering
Is this an abuse of rights or is it still okay? The courts are not yet in agreement on this at the moment. The GDPR does not limit the right to information to specific motives. This speaks against an abuse. On the other hand, the aim of the GDPR is data protection. It should never become a lever for being able to bully contractual partners. Nor was it ever intended as an instrument for obtaining evidence. But as I said, the courts have decided very differently so far.
Information normally costs nothing
This is particularly tricky against the background that normally nothing may be charged for information. An exception applies if there is an „excessive request“. This would be the case, for example, if someone requests information about the same data several times at short intervals. The example shows that such exceptions are really rare.
Internal instructions become stricter
As a result, companies must prepare themselves for having to provide comprehensive information far more frequently than they used to – and free of charge. The associated expense is considerable. It is understandable that companies are reacting to this. In many cases, they use internal instructions to define much more precisely than before which data employees are allowed to store at all. The duration of storage is also often regulated more strictly. Everyone in a company would do well to carefully observe such requirements.