The Chemnitz District Court (AG Chemnitz) ruled on November 22, 2024 – Case No. 16 C 1063/24, that the right of access under Article 15 of the General Data Protection Regulation (GDPR) is not subject to any statute of limitations and can therefore be exercised at any time. This decision is significant for affected individuals as it strengthens their ability to obtain information about the processing of their personal data even after a long period.
What Was the Case About?
An insured individual filed a lawsuit based on Article 15 of the GDPR against their private health insurance provider. They demanded the release of data stored about them, specifically requesting information on the dates and amounts of premium adjustments, as well as tariff changes and terminations, dating back to 2002. The insurer refused to provide the information, citing statutes of limitation.
How Did the Court Rule?
The Chemnitz District Court rejected the insurer’s argument and clarified that the right of access under the GDPR is fundamentally not subject to statutes of limitation. The court justified its decision as follows:
- No Limitation Period Under European Law: European law does not prescribe a statute of limitations for the right of access under Article 15 of the GDPR.
- Nature of the Right: The right of access is inherently not subject to limitation because it has no prerequisites for its existence and can be exercised unconditionally at any time. This applies even when no personal data is being processed, as in such cases, there is at least a right to a negative response.
- Independent Primary Right: The right of access is an independent primary right and not an ancillary right to another claim. Therefore, the principles of § 242 of the German Civil Code (BGB) concerning performance in good faith cannot be invoked.
Practical Consequences
The ruling has the following implications:
- Strengthened Rights for Affected Individuals: Individuals can assert their right of access under Article 15 of the GDPR at any time, regardless of how long ago the data was processed. This reinforces individual rights regarding transparency in data processing.
- No Reliance on Statutes of Limitation for Denial: Companies cannot invoke statutes of limitation to deny access requests. They must be prepared to provide information about the processing of personal data, even years later.
Summary
The Chemnitz District Court’s ruling emphasizes the non-applicability of statutes of limitation to the right of access under Article 15 of the GDPR. This strengthens the position of individuals and forces companies to adapt to the reality that access requests may be made even after many years. Companies must adjust their processes accordingly to meet these requirements.
