The Higher Regional Court (OLG) of Düsseldorf has ruled in a recent decision (OLG Düsseldorf, Decision of 02.12.2024 – Case No. 16 W 93/23) that a request for information under Article 15 of the General Data Protection Regulation (GDPR) cannot be denied simply because a company fears that the affected person might use the obtained information for purposes other than those intended by the GDPR. This clarification strengthens the rights of individuals and obligates companies to provide comprehensive information, regardless of the suspected use of the data.
Case Background
A plaintiff requested information from an online gambling provider regarding their gaming and payment history based on the right of access enshrined in Article 15 GDPR. However, the provider feared that the plaintiff would use this information solely to prepare a lawsuit seeking reimbursement of lost bets.
Court Decision
The OLG Düsseldorf ruled that the information must be provided. The court emphasized the following key points:
- No Restriction on the Right of Access: Article 15 GDPR is not subject to additional conditions and cannot be denied simply because the obtained data might be used for purposes other than verifying GDPR-compliant data processing. The right of access under Article 15(1) GDPR does not depend on how the individual intends to use the information. It exists independently of the goals pursued with the request.
- No Obligation to Justify the Request: The right of access is also not dependent on the affected person providing a justification or being entirely unaware of the requested data and information.
The court argued that the right of access is a fundamental right of the affected person and cannot be restricted based on concerns about alternative use. It is irrelevant whether the request is intended to support legal claims. The primary purpose of the right of access is to ensure transparency and enable individuals to verify the legality of data processing.
Implications for Practice
The ruling has the following consequences for companies:
- Obligation to Provide Information Regardless of Purpose: Companies must respond to access requests under Article 15 GDPR, even if they fear that the affected person might use the information for other purposes.
- No Rejection Due to “Pre-Trial Discovery”: The right of access cannot be denied on the grounds that the information might be used for potential litigation.
- Comprehensive Disclosure: Companies must provide full details about the processed personal data, even if the affected person is already aware of some of the information.
Conclusion
The OLG Düsseldorf has clarified that a GDPR access request cannot be rejected simply because the applicant might use the information for other purposes, such as preparing a lawsuit. This decision reinforces the right of individuals to obtain comprehensive information about their personal data and makes it clear that companies cannot arbitrarily limit this right. Companies must process access requests promptly and fully and should be prepared to handle such inquiries accordingly.
